VMware Solutions Discussions

CVE-2021-44228 Apache Log4j Vulnerability in NetApp Products

Blissitt
4,875 Views

NetApp's list of affected/not affected products is available here:

CVE-2021-44228 Apache Log4j Vulnerability in NetApp Products | NetApp Product Security

 

At this moment, here is the list of Affected Products:

  • Brocade SAN Navigator (SANnav)
  • Cloud Manager
  • ONTAP Tools for VMware vSphere
  • SnapCenter Plug-in for VMware vSphere
6 REPLIES 6

IA-joesmith
4,771 Views

As far as the snapcenter plug-in. After completing the workaround that vmware provided for the vcenter 7, my snapcenter would no longer deploy. I implemented the workaround for the snapcenter and the plug in still wont deploy on the snapcenter. Any ideas or suggestions?

 

 Error deploying plug-in. org.apache.felix.resolver.reason.ReasonException: Unable to resolve /usr/lib/vmware-vsphere-ui/server/work/tmp/8066464305686214632com.netapp.scvm.webclient-4.5.0.6025788.esa/scvm_webui_service.jar: missing requirement org.apache.aries.subsystem.core.archive.ImportPackageRequirement: namespace=osgi.wiring.package, attributes={}, directives={filter=(&(osgi.wiring.package=org.springframework.web.servlet.view.velocity)(version>=0.0.0)), resolution=mandatory, uses=javax.servlet,javax.servlet.http,org.apache.velocity,org.apache.velocity.app,org.apache.velocity.context,org.apache.velocity.exception,org.apache.velocity.tools.generic,org.springframework.beans,org.springframework.beans.factory,org.springframework.context,org.springframework.ui.velocity,org.springframework.web.context,org.springframework.web.servlet.view}, resource=/usr/lib/vmware-vsphere-ui/server/work/tmp/8066464305686214632com.netapp.scvm.webclient-4.5.0.6025788.esa/scvm_webui_service.jar org.apache.felix.resolver.Candidates$MissingRequirementError.toException(Candidates.java:1340) org.apache.felix.resolver.Candidates$MissingRequirementError.toException(Candidates.java:1341) org.apache.felix.resolver.ResolverImpl.doResolve(ResolverImpl.java:433) org.apache.felix.resolver.ResolverImpl.resolve(ResolverImpl.java:420) org.apache.felix.resolver.ResolverImpl.resolve(ResolverImpl.java:413)

vcon
4,740 Views

I am missing Virtual Storage Console (VSC, VASA Provider, and SRA virtual appliance) from the list.
Does it have a different name on the list?

Blissitt
4,737 Views

The new product name is ONTAP Tools for VMware vSphere (at this moment, version 9.8P1, which may or may not have Log4j fixes - you'll have to check).  It's the same product as Virtual Storage Console for VMware vSphere, but with some bug fixes and a better name.  Unfortunately, NetApp didn't sufficiently advertise this change and I kept running the old 9.7 version until I lost five VMs on one of my vVols, likely due to those bugs which have since been addressed.  I have since removed ONTAP Tools for VMware vSphere from my environment because VAAI now provides the Native Snapshots I wanted and I no longer needed vVols.  I also wanted to reduce complexity.

 

The upgrade from 9.7 to 9.8 was uneventful for me and the new version worked well while I ran it.  If you want to upgrade to 9.8P1, maybe make sure that 9.8P1 is not "older" (by date) than the version you're upgrading from.

jcj112516
4,054 Views

This is the affected products below:

Affected Products

  • Active IQ Unified Manager for Linux
  • Active IQ Unified Manager for Microsoft Windows
  • Active IQ Unified Manager for VMware vSphere
  • Brocade SAN Navigator (SANnav)
  • Cloud Insights Acquisition Unit
  • Cloud Manager
  • Cloud Secure Agent
  • NetApp SolidFire, Enterprise SDS & HCI Storage Node (Element Software)
  • ONTAP Tools for VMware vSphere
  • OnCommand Insight
  • SnapCenter Plug-in for VMware vSphere

Can anyone confirm if FAS2650 - Release 9.2P1 is part of it? I don't know which product it belongs to.

bretta
4,028 Views

That's part of:

Clustered Data ONTAP

Which is not affected

 

Public