Please provide your feedback in this short Flings' survey.
A fully supported version of the HTML5 client is released with vSphere 6.5, and the official name will be vSphere Client.  We won't be renaming this Fling, but may start saying things like 'vSphere Client Fling' in addition to the other terms we've used before. Fling features are not guaranteed to be implemented into the product.
Dec 14, 2021

Team,

It seems the Fling is affected by current LOG4J exploit that is being release in last couple of days.

Is there a workaround or new version going to get release to remediate it?

Please suggest
Thanks

Dec 15, 2021

Hello,

Can you elaborate on why you think the Fling is vulnerable to the log4j exploit? The appliance does not package the vulnerable log4j-core bundle or any of its classes.

Thanks

Dec 15, 2021

Hello Plam

during the search on the Appliance we came across the below so thought to confirm;

root@sydvhfsp001 [ ~ ]# find / -name \log4j*
/usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/.cp/log4j-api-2.11.2.jar
/usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/.cp/log4j-core-2.11.2.jar
/usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/plugins/log4j-over-slf4j-1.7.22.jar

Thanks

Dec 17, 2021

Interesting, seems like there is a bundle deployed in the runtime that delivers log4j-api and log4j-core. We do not bring those by default with the Fling appliance so my guess is that you have some plugin installed on your setup. Also, considering the location of these jars in the tomcat work dir my guess is that the plugin is bringing the log4j dependencies as inner jars within one of its jars/wars (this applies recursively).

Let's try to find out which is bundle "317" that delivers log4j. Please try running the following:

"grep -R 'log4j-core' /usr/lib/vmware-vsphere-ui/"

and let me know if any jar/war matches.

Dec 19, 2021

Hello Plam

Here is the output

grep -R 'log4j-core' /usr/lib/vmware-vsphere-ui/

Binary file /usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/.cp/log4j-core-2.11.2.jar matches

Binary file /usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/bundleFile matches

Binary file /usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/framework.info.3 matches

Could it be possible that entries are coming from PURE Storage plugin that we have got installed?

Thanks

Dec 20, 2021

It's indeed possible. Can you also run "grep -R 'log4j-core' /etc/vmware/vsphere-ui" and share the results?

Dec 20, 2021

It's indeed possible. Can you also run "grep -R 'log4j-core' /etc/vmware/vsphere-ui" and share the results?

Dec 20, 2021

Hello Plam

Here is the output

grep -R 'log4j-core' /etc/vmware/vsphere-ui

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-
4.3.1.esa matches

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-4.3.1.zip matches

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/plugins/purestoragehtml-service.jar matches

It is now clear anyway but I let you comment

Thanks
Shivam

Dec 21, 2021

Right, looks like purestorage plugin version 4.3.1 is indeed bringing log4j-core. Consider upgrading the plugin to a new version (4.4.0+ seems to not have this problem but make sure to double-check). Alternatively, you can remove the plugin from your environment and restart the vsphere-ui service to unload the vulnerable classes from the JVM.

Dec 23, 2021

Thanks Plam for prompt replies.

We have removed PURE Storage plugin from vCenter but it still reports some LOG4J entries, not sure if they are relevant or just dormant entries?

grep -R 'log4j-core' /etc/vmware/vsphere-ui

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-4.3.1.esa matches

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-4.3.1.zip matches

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/plugins/purestoragehtml-service.jar matches

grep -R 'log4j-core' /usr/lib/vmware-vsphere-ui/ - Reports no entries

Thanks

Nov 04, 2021

Is this fling still being developed, or....?

Nov 05, 2021

Currently, there is no plan for a new release. :/

Aug 05, 2021

Has there been any movement on converting the new html5 client to a native app using nw.js or electron, etc.. . This would be useful as it is a better workflow than the html5 website, plus it would allow for better performance. Here is an opensource tool that can do the site conversion to an nw.js app: http://www.mikesdelivery.tk/WebDGap/ or https://scotch.io/tutorials/creating-desktop-applications-with-angularjs-and-github-electron. In addition, with the work vmware is doing with GO lang, there could be an opportunity to create a cross-platform desktop app: https://github.com/go-graphics/go-gui-projects

May 27, 2021

Greetings,
perhaps it's me but it seems that the client is unable to export lists to csv as in the past.
Am I missing something?