Security

VMware vCenter Server Log4j patch script remediation process

VMware vCenter Server Log4j patch script remediation process. How to run the Python script needed to remediate vCenter Log4j vulnerability

In case you haven’t heard, Apache Log4j is arguably the biggest vulnerability found across the board since Spectre/Meltdown vulnerabilities were disclosed, due to the sheer scope of the vulnerability. It is found everywhere and unfortunately, is found across a large swath of VMware solutions, including VMware vCenter Server. Let’s take a look at VMware vCenter Server Log4j patch script remediation process and see how you can remediate your vCenter Server.

***Update*** The screenshots below show the script as vmsa-2021-0028-kb87081.py. This has been superceded by the vc_log4j_mitigator script. However, the process to run the script is the same.

VMware vCenter Server Log4j patch script remediation process

The great thing about VMware is they have been extremely transparent on all the solutions where the vulnerability is found and the workaround or patches (if these exist) with links to relevant KB articles. You can find the link to all of these in my blog post initially covering the Log4j vulnerability and is VMware affected.

Since vCenter Server is a critical part of the vSphere infrastructure, getting it patched is extremely important. However, at this time, an official patched version of vCenter Server has not been released as of yet. Unfortunately, the manual process to remediate the Log4j vulnerability in vCenter Server is nasty and involves editing many low-level files in vCenter Server.

You can see the full list of files that need to be changed in the official VMware KB 87081 here:

Thankfully, a Python script has been written that automates the process to remediate your vCenter Server from the Log4j vulnerability.

VMware vCenter Log4j workaround Python script

Since there is no official patch for vCenter Server as of yet, we will need to rely on the workaround that is found in the VMware KB article. The Python script makes the process a whole lot easier than it would be with the manual edits, and also helps to ensure these edits are performed correctly and consistently.

First, to download the Python script, check out the official link to the KB here:

The steps are simple:

  1. Download the script
  2. Upload the script to your vCenter Server appliance
  3. Run the Python script

1. Download the script

Visit the official link, linked above to download the Python script. You will need to save this locally on your client and then upload to your vCenter Server.

2. Upload the script to your vCenter Server appliance

You will want to use SSH or a GUI tool like WinSCP to upload the Python script to your vCenter Server appliance. The KB article mentions you can upload to the /tmp directory. However, I simply used the root home directory as this directly has much less “noise” than the /tmp directory.

Upload the Log4j Python script to your vCenter Server
Upload the Log4j Python script to your vCenter Server

3. Run the Python script

Once you have the script uploaded, the last step is to simply run the Python script on your VCSA appliance. To do that, use the command:

python vc_log4j_mitigator.py

You will see a request to restart services on your VCSA.

Run the python script and verify services restart
Run the python script and verify services restart

Below, you see the initial python command to run the script, the prompt to restart services, and the output as the script runs through remediating your vCenter Server appliance.

The VCSA Log4j patch remediation workaround Python script finishes successfully
The VCSA Log4j patch remediation workaround Python script finishes successfully

After the VMware vCenter Server Log4j patch script remediation process, I didn’t see any ill effects on the lab vCenter Server used to test. Again, the Python script makes the remediation process much easier than the manual edits required for implementing the Log4j remediation manually.

Video showing the Log4j patch remediation process for vCenter Server

Wrapping Up

The Log4j vulnerability and remediation process is a continually evolving situation and VMware is definitely helping customers to get their environments remediated quickly. While official patches are yet to be released across the vCenter Server landscape, these are no doubt coming soon. It is great to know though that we have a remediation process to mitigate the vulnerability in the meantime. Stay tuned for further updates and information on the Log4j saga.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.