VMware vCenter 7 – Log4j Manual Workaround

Curious how to manually apply the log4k workaround to vCenter Server Appliance 7.0 Update 2, 2a, 2b, 2c, 2d, 3, 3a, 3b?

Detailed instructions below!

Official VMware page with the workaround, both manual and automated ones here

vMON Service
1. Backup the existing java-wrapper-vmon file

cp -rfp /usr/lib/vmware-vmon/java-wrapper-vmon /usr/lib/vmware-vmon/java-wrapper-vmon.bak

2. Update the java-wrapper-vmon file with a text editor such as vi

vi /usr/lib/vmware-vmon/java-wrapper-vmon

  1. At the very bottom of the file, replace the very last line with 2 new lines

Original
exec $java_start_bin $jvm_dynargs $security_dynargs $original_args
Updated
log4j_arg=”-Dlog4j2.formatMsgNoLookups=true”
exec $java_start_bin $jvm_dynargs $log4j_arg $security_dynargs $original_args

updated java-wrapper-vmon file

4. Save the file

5. Ensure the file permissions are set correctly with the below commands:

chown root:cis /usr/lib/vmware-vmon/java-wrapper-vmon
chmod 754 /usr/lib/vmware-vmon/java-wrapper-vmon

  1. Restart vCenter Services

service-control –stop –all
service-control –start –all

vMon workaround successfully applied, services stopped and started

Update Manager Service

  1. Back up the existing start.ini file
    cp -rfp /usr/lib/vmware-updatemgr/bin/jetty/start.ini /usr/lib/vmware-updatemgr/bin/jetty/start.ini.bak
  2. Update the start.ini file
    vi /usr/lib/vmware-updatemgr/bin/jetty/start.ini
  3. Add the following line to the end of the file
    -Dlog4j2.formatMsgNoLookups=true
  4. Save the file
  5. Restart the Update Manager Service
    service-control –restart vmware-updatemgr
Update Manager workaround successfully applied

Analytics Service

Back up the log4j-core-2.8.2.jar file
cp -rfp /usr/lib/vmware/common-jars/log4j-core-2.8.2.jar /usr/lib/vmware/common-jars/log4j-core-2.8.2.jar.bak

Run the zip command to disable the class
zip -q -d /usr/lib/vmware/common-jars/log4j-core-2.8.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Restart the Analytics service
service-control –restart vmware-analytics

DBCC Utility

  1. Back up the log4j-core-2.8.2.jar file
    cp /usr/lib/vmware-dbcc/lib/log4j-core-2.8.2.jar /usr/lib/vmware-dbcc/lib/log4j-core-2.8.2.jar.bak
  2. Run the zip command to disable the class
    zip -q -d /usr/lib/vmware-dbcc/lib/log4j-core-2.8.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Note: This command may fail with “zip error: Nothing to do!”. If so, proceed to the verification section to ensure the step was not needed. No service needs to be restarted for DBCC.

Update Manager, Analytics and DBCC services fixed

Verify the changes
Once all sections are complete, use the following steps to confirm if they were implemented successfully.

  1. Verify if the vMon services were started with the new -Dlog4j2.formatMsgNoLookups=true parameter:
    ps auxww | grep formatMsgNoLookups

Check if the processes include -Dlog4j2.formatMsgNoLookups=true

vMon workaround validated
  1. Verify the Update Manager changes are shown under “System Properties” in the output of the following two commands:

cd /usr/lib/vmware-updatemgr/bin/jetty/
java -jar start.jar –list-config

 
System Properties:
——————
 log4j2.formatMsgNoLookups = true (/usr/lib/vmware-updatemgr/bin/jetty/start.ini
)

Update Manager workaround validated

3. Verify the Analytics Service changes:
grep -i jndilookup /usr/lib/vmware/common-jars/log4j-core-2.8.2.jar | wc -l

This should return 0 lines

4. Verify the DBCC Utility changes:
grep -i jndilookup /usr/lib/vmware-dbcc/lib/log4j-core-2.8.2.jar | wc -l

This should return 0 lines

Analytics and DBCC workaround validated

Leave a Reply