Team,
It seems the Fling is affected by current LOG4J exploit that is being release in last couple of days.
Is there a workaround or new version going to get release to remediate it?
Please suggest
Thanks
A fully supported version of the HTML5 client is released with vSphere 6.5, and the official name will be vSphere Client. We won't be renaming this Fling, but may start saying things like 'vSphere Client Fling' in addition to the other terms we've used before. Fling features are not guaranteed to be implemented into the product.
Dec 15, 2021
Hello,
Can you elaborate on why you think the Fling is vulnerable to the log4j exploit? The appliance does not package the vulnerable log4j-core bundle or any of its classes.
Thanks
Dec 15, 2021
Hello Plam
during the search on the Appliance we came across the below so thought to confirm;
root@sydvhfsp001 [ ~ ]# find / -name \log4j*
/usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/.cp/log4j-api-2.11.2.jar
/usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/.cp/log4j-core-2.11.2.jar
/usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/plugins/log4j-over-slf4j-1.7.22.jar
Thanks
Dec 17, 2021
Interesting, seems like there is a bundle deployed in the runtime that delivers log4j-api and log4j-core. We do not bring those by default with the Fling appliance so my guess is that you have some plugin installed on your setup. Also, considering the location of these jars in the tomcat work dir my guess is that the plugin is bringing the log4j dependencies as inner jars within one of its jars/wars (this applies recursively).
Let's try to find out which is bundle "317" that delivers log4j. Please try running the following:
"grep -R 'log4j-core' /usr/lib/vmware-vsphere-ui/"
and let me know if any jar/war matches.
Dec 19, 2021
Hello Plam
Here is the output
grep -R 'log4j-core' /usr/lib/vmware-vsphere-ui/
Binary file /usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/.cp/log4j-core-2.11.2.jar matches
Binary file /usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/bundleFile matches
Binary file /usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/framework.info.3 matches
Could it be possible that entries are coming from PURE Storage plugin that we have got installed?
Thanks
Dec 20, 2021
It's indeed possible. Can you also run "grep -R 'log4j-core' /etc/vmware/vsphere-ui" and share the results?
Dec 20, 2021
It's indeed possible. Can you also run "grep -R 'log4j-core' /etc/vmware/vsphere-ui" and share the results?
Dec 20, 2021
Hello Plam
Here is the output
grep -R 'log4j-core' /etc/vmware/vsphere-ui
Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-
4.3.1.esa matches
Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-4.3.1.zip matches
Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/plugins/purestoragehtml-service.jar matches
It is now clear anyway but I let you comment
Thanks
Shivam
Dec 21, 2021
Right, looks like purestorage plugin version 4.3.1 is indeed bringing log4j-core. Consider upgrading the plugin to a new version (4.4.0+ seems to not have this problem but make sure to double-check). Alternatively, you can remove the plugin from your environment and restart the vsphere-ui service to unload the vulnerable classes from the JVM.
Dec 23, 2021
Thanks Plam for prompt replies.
We have removed PURE Storage plugin from vCenter but it still reports some LOG4J entries, not sure if they are relevant or just dormant entries?
grep -R 'log4j-core' /etc/vmware/vsphere-ui
Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-4.3.1.esa matches
Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-4.3.1.zip matches
Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/plugins/purestoragehtml-service.jar matches
grep -R 'log4j-core' /usr/lib/vmware-vsphere-ui/ - Reports no entries
Thanks
Aug 05, 2021
Has there been any movement on converting the new html5 client to a native app using nw.js or electron, etc.. . This would be useful as it is a better workflow than the html5 website, plus it would allow for better performance. Here is an opensource tool that can do the site conversion to an nw.js app: http://www.mikesdelivery.tk/WebDGap/ or https://scotch.io/tutorials/creating-desktop-applications-with-angularjs-and-github-electron. In addition, with the work vmware is doing with GO lang, there could be an opportunity to create a cross-platform desktop app: https://github.com/go-graphics/go-gui-projects
Load more
It's indeed possible. Can you also run "grep -R 'log4j-core' /etc/vmware/vsphere-ui" and share the results?