Apache Log4j Vulnerability VMSA-2021-0028 Workaround

In this short blog, we will attempt to apply a workaround to fix the Apache Log4j vulnerability. As of today, there is no perm fix but there is a workaround available as per VMware so we are going to apply that and see what happens. The script will take around 10 mins so be patient.

Prerequisites

At a high level, the process to apply the fix is as below

• Remove vCHA
• Environments with external PSCs need to have the script executed on both vCenter and PSC appliances.
• Run Python script to automate the workaround
• Wait for services to come back online
• Reboot the vCenter
• Add vCHA back if needed

Python script to automate the workaround steps of VMSA-2021-0028. All Services will be restarted by the script to mitigate the VMSA

• Download the python script from VMware portal and copy it to /tmp path on the vCenter Appliance.
• Execute the script using the command “python /tmp/vmsa-2021-0028-kb87081.py” as shown. The script will reboot all vCenter services and apply the workaround

Workflow of service restarts

After 10 mins, the script will have finished its job and we can see the workaround is thus applied.

Appliance/Services View

Services view shows vpxd taking longer than usual

vmware-vpxd service not starting (83113)

References

VMSA-2021-0028.3 Impacted Products