The workarounds are slightly differently implemented for each VMware product, but they were initially mostly based on adding the option '-Dlog4j2.formatMsgNoLookups=true' to the Log4j configuration, but has since been updated to instead delete or disable the vulnerable component. The remaining workarounds can be found in the VMSA-2021-0028 main article, which is updated as new products/patches/workarounds get added. VCenter Server for Windows (which I hope you are not still running) also has a workaround released: VMware KB #87096 Note that the workaround needs to be re-run to also cover CVE-2021-45046! Download and run the updated script if you haven't already done it.įor vCenter Server, there is a Python script available that automates the workaround changes: VMware KB #87088 (VCSA only). The workaround for vCenter Server is available at: VMware KB #87081. The 7.0 patches are included in 7.0 U3c (7.0.3 build 19193900), which also includes additional security patches for cURL, Tomcat, OpenSSL etc. Since there are patches released for vCenter Server Appliance 7.0, but if you are still on 6.5 or 6.7 you need to perform the workarounds described below.
Step 2 - vCenter ServerĪfter that, proceed with the rest of your VMware systems running Log4j: vCenter Server, WS1 Access / Identity Manager, Log Insight, etc. The workaround has to be implemented on all agents, including the master image(s) used for cloning. Workaround for Horizon Server: VMware KB #87073Īfter securing the internet-accessible servers, follow the instructions above and implement the patch/workaround for the remaining Horizon server(s) and then the Horizon agents. If you can't upgrade, implement the latest workarounds: Workaround for UAG: VMware KB #87092. Upgrade to the following versions, if you can: Consider cutting them off from the internet, both for incoming and outgoing traffic, until the patch/workaround is fully implemented. Identify which UAG or Horizon components are reachable from the internet, and start with those.
(Update, 15:30 CET: Added information about vCenter Server 7.0 patches being released) Step 1 - VMware Horizon/UAG
(Update, 10:30 CET: Added information about Horizon patches being released, and the updated information about vCenter patching) (Update, 17:00 CET: Added information about a workaround for vCenter Server) (Update, 21:00 CET: Workaround for UAG has just been announced, see link below)
0 kommentar(er)
