If you run VMware vCenter Server, please patch against log4j. Now.
Overview
Not to be alarmist, but the ransomware shitheads are already looking for attack vectors to abuse the log4j vulnerability. In most organizations, there is no greater opportunity to royally disrupt your operations (not in a good way) then if the shitheads gain access to your vCenter Server.
Why? Odds are, your vCenter has access to the majority of your on-premise business servers. If you haven’t moved off to the cloud, if a shithead gets access to your vCenter, they have direct access to ALL YOUR DATA. From there, they can easily encrypt all your stuff and you’re either paying a ransom or recovering your data from backups.
This is no joke — the good news is the fix takes less than TEN minutes. Ten minutes. Every vCenter Server version is vulnerable from 6.5 onwards, so if you have vCenter, you need to patch.
A Word of Caution
The credentials for your vCenter Server should be highly guarded. If you’re running vCenter — and a lot of people are — it’s absolutely critical that you don’t let these credentials out. Make sure that you keep them guarded, especially if you hire a random firm to do this work for you.
What do I need to patch?
Patching is super simple. You need four things.
- The IP address (or hostname) of your vCenter Server.
- The login and password for the vCenter Server (specifically, the root password).
- (optional) Your SSO master account and password, which you’ll need only if you can’t SSH to the server.
- An Internet connection (which I’m pretty sure you have, since you’re reading this online).
Ok, how do I patch?
It’s really simple. Let’s do this.
- If you’re on a PC, you’ll need PuTTY to connect to the vCenter Server. You can download it from here. Most people will need the 64-bit x86 software. If you are a Mac user, you don’t need any software — the built-in Terminal will take care of it.
2. Go to the VMware website. Specifically this link. On the right side of the page, half way down, you’ll see a link for remove_log4j_class. Download it. It’ll save as a text file named ‘remove_log4j_class.py’.
2. Open your Downloads folder and you’ll see ‘remove_log4j_class.py. Right click on the file and open the text file in Notepad or TextEdit.
When it’s open, you should see this:
3. Leave the Notepad window open and off to the side. You’ll need to open a connection to the vCenter Server. To do this, we’ll use PuTTY to create a connection using Secure Shell (SSH). Open the putty.exe file from your Downloads folder.
In my example, I put in 10.10.10.10, but that needs to be the IP address or hostname of your vCenter server. Press Open to connect.
You should see a dialog like this asking you to accept the server’s host key. Press Yes.
Then, it’s going to ask you for a username and password.
- Login as: root
- Password: <the root password for your vCenter Server>
If you see the Command> prompt, you’re on fire! Type shell. It’ll tell you that ‘Shell access is granted to root’ and put you at a command prompt.
Command> shell
Shell access is granted to root
root@vCenter [~]# 
4. It’s time to paste the script into the vCenter server. Go back to Notepad, select Edit-> Select All, then Edit -> Copy. When you Copy the text, make sure it’s highlighted.
5. Go back to your PuTTY window. In the terminal, type the following command:
cat > log4j.pyNow, right click to paste the script into the PuTTY window. You should see the text scroll by pretty quickly.
When the script is done pasting in (this will take a second or two), press Ctrl-D. You’ll be back at the command prompt.
6. Finally, run the script! Enter this command to execute the script.
python3 log4j.pyIt will tell you that you need to restart the service. Press ‘y’ to confirm. With the version of script I ran, you actually had to press ‘y’ even though it showed it as the default.
The script will run for 3–4 minutes, stopping, patching, and then restarting the service. It’ll tell you that you’re good to go!
You can now sleep easy.
Troubleshooting
If you run into trouble, here are some troubleshooting steps.
I can’t SSH to my vCenter.
If you get a message that you can’t connect to your vCenter, you might need to enable the SSH service. To to that, you’ll go to the VMware Appliance Management web page. The address is:
https://your.vcenter.ip.or.hostname:5480
You’ll need the SSO master admin account name and password. It’s usually administrator@vsphere.local, but that might not be your configuration. Check your documentation that the installer left you to make sure.
When you log in, look at the Access tab. SSH Login has to be enabled. If not, click the Edit button and tick the box, then repeat the process.
I don’t know my passwords.
This is a harder one and beyond the scope of this article. If you don’t know your passwords, you can reset them, but the process is more involved and carries a risk of data loss.
This article tells you how to reset your root password: https://kb.vmware.com/s/article/2147144
This article tells you how to reset your SSO master password: http://vcloud-lab.com/entries/vcenter-server/how-to-reset-vcenter-server-sso-administrator-vsphere-local-password
If you haven’t done this, or aren’t comfortable doing it yourself, reach out and we can help you.
I’m lost. What questions do I need to ask?
If you have no idea if you’re running VMWare, vCenter, or any of the other terms I outlined in this article, here are the critical questions to ask:
- Does my organization run VMWare vCenter?
- Has it been patched with the instructions contained at this link? https://kb.vmware.com/s/article/87068
- If it’s not patched, when can we turn vCenter off until it can be patched?
Seriously, that’s it. Any VMWare partner can help you do this, or any system admin that has any basic knowledge of…. computers. Seriously.
Want to learn more? Need some help?
Check out my organization (24/7 Networks) on the web, and you can find me on Twitter. We specialize in providing honest, simple and practical IT solutions to mid-sized and large customers. Reach out if you need any assistance.