How to mitigate Apache log4j on VMware vCenter Appliance

How to mitigate Apache log4j on VMware vCenter Appliance 

CVE-2021-44228 & CVE-2021-45046 has been determined to impact vCenter Server 7.0.x, vCenter 6.7.x & vCenter 6.5.x via the Apache Log4j open source component it ships. 

Currently is no PATCH from VMware site (22.12.2021)

more info about workarounds and patches – VMware VMSA-2021-0028.5 page

Resolution (workaround) 

  • Download the script attached to this KB (
  • Login to the vCSA using an SSH Client
  • enable the bash shell to VCSA – if not you got error message “Received too large SFTP packet”
  • Transfer the file to /tmp folder on vCenter Server Appliance using WinSCP
  • Create backup of your VCSA, at least snapshot
  • Execute the „python

    This will stop all vCenter services, updates all necessary files with the formatMsgNoLookups flag, removes the JndiLookup.class from all jar/war files on the appliance, and finally starts all vCenter services. The files that the script modifies will be reported as the script runs.
  • To verify that no more vulnerable files exist, execute „python -r“ (-r means dryrun)
  • The list of vulnerable files should be zero


Upgrading the vCenter Appliance to an unmitigated version will put the environment into a vulnerable state again. Use the script after upgrading to correct this

UPDATE 1. 2. 2022

VMware vCenter Server 7.0 Update 3c was released, its build 19234570 where Apache log4j is updated to version 2.17 to resolve CVE-2021-44228 and CVE-2021-45046. Please update your VCSA appliance immediately. My best practices is update via VAMI. 

Still waiting for update for VCSA 6.5 and 6.7


(Visited 2 440 times, 1 visits today)

2 komentáře u „How to mitigate Apache log4j on VMware vCenter Appliance

  1. Tomas Kalabis Autor článkuReagovat

    Hi, no its not necessary to disable HA before the execution of the script, because you run the script on the vcsa appliance.

Napsat komentář

Vaše e-mailová adresa nebude zveřejněna. Vyžadované informace jsou označeny *