VMware Solutions Discussions

CVE-2021-44228 Apache Log4j Vulnerability in NetApp Products


NetApp's list of affected/not affected products is available here:

CVE-2021-44228 Apache Log4j Vulnerability in NetApp Products | NetApp Product Security


At this moment, here is the list of Affected Products:

  • Brocade SAN Navigator (SANnav)
  • Cloud Manager
  • ONTAP Tools for VMware vSphere
  • SnapCenter Plug-in for VMware vSphere


This is the affected products below:

Affected Products

  • Active IQ Unified Manager for Linux
  • Active IQ Unified Manager for Microsoft Windows
  • Active IQ Unified Manager for VMware vSphere
  • Brocade SAN Navigator (SANnav)
  • Cloud Insights Acquisition Unit
  • Cloud Manager
  • Cloud Secure Agent
  • NetApp SolidFire, Enterprise SDS & HCI Storage Node (Element Software)
  • ONTAP Tools for VMware vSphere
  • OnCommand Insight
  • SnapCenter Plug-in for VMware vSphere

Can anyone confirm if FAS2650 - Release 9.2P1 is part of it? I don't know which product it belongs to.

That's part of:

Clustered Data ONTAP

Which is not affected



I am missing Virtual Storage Console (VSC, VASA Provider, and SRA virtual appliance) from the list.
Does it have a different name on the list?


The new product name is ONTAP Tools for VMware vSphere (at this moment, version 9.8P1, which may or may not have Log4j fixes - you'll have to check).  It's the same product as Virtual Storage Console for VMware vSphere, but with some bug fixes and a better name.  Unfortunately, NetApp didn't sufficiently advertise this change and I kept running the old 9.7 version until I lost five VMs on one of my vVols, likely due to those bugs which have since been addressed.  I have since removed ONTAP Tools for VMware vSphere from my environment because VAAI now provides the Native Snapshots I wanted and I no longer needed vVols.  I also wanted to reduce complexity.


The upgrade from 9.7 to 9.8 was uneventful for me and the new version worked well while I ran it.  If you want to upgrade to 9.8P1, maybe make sure that 9.8P1 is not "older" (by date) than the version you're upgrading from.


As far as the snapcenter plug-in. After completing the workaround that vmware provided for the vcenter 7, my snapcenter would no longer deploy. I implemented the workaround for the snapcenter and the plug in still wont deploy on the snapcenter. Any ideas or suggestions?


 Error deploying plug-in. org.apache.felix.resolver.reason.ReasonException: Unable to resolve /usr/lib/vmware-vsphere-ui/server/work/tmp/8066464305686214632com.netapp.scvm.webclient- missing requirement org.apache.aries.subsystem.core.archive.ImportPackageRequirement: namespace=osgi.wiring.package, attributes={}, directives={filter=(&(osgi.wiring.package=org.springframework.web.servlet.view.velocity)(version>=0.0.0)), resolution=mandatory, uses=javax.servlet,javax.servlet.http,org.apache.velocity,org.apache.velocity.app,org.apache.velocity.context,org.apache.velocity.exception,org.apache.velocity.tools.generic,org.springframework.beans,org.springframework.beans.factory,org.springframework.context,org.springframework.ui.velocity,org.springframework.web.context,org.springframework.web.servlet.view}, resource=/usr/lib/vmware-vsphere-ui/server/work/tmp/8066464305686214632com.netapp.scvm.webclient- org.apache.felix.resolver.Candidates$MissingRequirementError.toException(Candidates.java:1340) org.apache.felix.resolver.Candidates$MissingRequirementError.toException(Candidates.java:1341) org.apache.felix.resolver.ResolverImpl.doResolve(ResolverImpl.java:433) org.apache.felix.resolver.ResolverImpl.resolve(ResolverImpl.java:420) org.apache.felix.resolver.ResolverImpl.resolve(ResolverImpl.java:413)

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.