Please provide your feedback in this short Flings' survey.
Dec 14, 2021

Team,

It seems the Fling is affected by current LOG4J exploit that is being release in last couple of days.

Is there a workaround or new version going to get release to remediate it?

Please suggest
Thanks

Dec 15, 2021

Hello,

Can you elaborate on why you think the Fling is vulnerable to the log4j exploit? The appliance does not package the vulnerable log4j-core bundle or any of its classes.

Thanks

Dec 15, 2021

Hello Plam

during the search on the Appliance we came across the below so thought to confirm;

root@sydvhfsp001 [ ~ ]# find / -name \log4j*
/usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/.cp/log4j-api-2.11.2.jar
/usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/.cp/log4j-core-2.11.2.jar
/usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/plugins/log4j-over-slf4j-1.7.22.jar

Thanks

Dec 17, 2021

Interesting, seems like there is a bundle deployed in the runtime that delivers log4j-api and log4j-core. We do not bring those by default with the Fling appliance so my guess is that you have some plugin installed on your setup. Also, considering the location of these jars in the tomcat work dir my guess is that the plugin is bringing the log4j dependencies as inner jars within one of its jars/wars (this applies recursively).

Let's try to find out which is bundle "317" that delivers log4j. Please try running the following:

"grep -R 'log4j-core' /usr/lib/vmware-vsphere-ui/"

and let me know if any jar/war matches.

Dec 19, 2021

Hello Plam

Here is the output

grep -R 'log4j-core' /usr/lib/vmware-vsphere-ui/

Binary file /usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/.cp/log4j-core-2.11.2.jar matches

Binary file /usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/317/0/bundleFile matches

Binary file /usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/configuration/org.eclipse.osgi/framework.info.3 matches

Could it be possible that entries are coming from PURE Storage plugin that we have got installed?

Thanks

Dec 20, 2021

It's indeed possible. Can you also run "grep -R 'log4j-core' /etc/vmware/vsphere-ui" and share the results?

Dec 20, 2021

It's indeed possible. Can you also run "grep -R 'log4j-core' /etc/vmware/vsphere-ui" and share the results?

Dec 20, 2021

Hello Plam

Here is the output

grep -R 'log4j-core' /etc/vmware/vsphere-ui

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-
4.3.1.esa matches

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-4.3.1.zip matches

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/plugins/purestoragehtml-service.jar matches

It is now clear anyway but I let you comment

Thanks
Shivam

Dec 21, 2021

Right, looks like purestorage plugin version 4.3.1 is indeed bringing log4j-core. Consider upgrading the plugin to a new version (4.4.0+ seems to not have this problem but make sure to double-check). Alternatively, you can remove the plugin from your environment and restart the vsphere-ui service to unload the vulnerable classes from the JVM.

Dec 23, 2021

Thanks Plam for prompt replies.

We have removed PURE Storage plugin from vCenter but it still reports some LOG4J entries, not sure if they are relevant or just dormant entries?

grep -R 'log4j-core' /etc/vmware/vsphere-ui

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-4.3.1.esa matches

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/com.purestorage.purestoragehtml-4.3.1.zip matches

Binary file /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/com.purestorage.purestoragehtml-4.3.1/plugins/purestoragehtml-service.jar matches

grep -R 'log4j-core' /usr/lib/vmware-vsphere-ui/ - Reports no entries

Thanks