RSA SDK version 8.6 is shipped with vCenter to enable users to login with an RSA SecurID token. log4j-1.2.12rsa-1.jar is bundled as part of this third-party SDK and cannot be modified by VMware.

RSA has stated there are no known exploitable vulnerabilities in log4j-1.2.12rsa-1.jar. If it's still required to remove the file in the environment, see the workaround below.

Workaround

Before beginning, download the correct version of the remove_rsa_jars script that corresponds to the vCenter Server build.

In the steps below, the script for vCenter 8.0 is used.

      1. Take a snapshot of the vCenter VM.

      2. Download the attached script from this article and upload to the /tmp folder of the vCenter Server appliance.

      3. If the connection to upload to the vCenter by the SCP client is rejected, run this from a SSH session to the vCenter. 

      chsh -s /bin/bash

      4. Connect to the vCenter Server appliance with a SSH session if a connection has been established as per Step 2.

      5. Navigate to the /tmp directory:

  cd /tmp

      6. Run chmod +x remove_rsa_jars_80.sh to make the file executable.

      7. Run ./remove_rsa_jars_80.sh

While there are no known exploitable vulnerabilities in these jars, they can be removed to prevent further detection by scans.

Warning: These scripts interact with libraries on vCenter Servers' file system. Take an offline snapshot concurrently for all vCenter Servers in the SSO domain before running the script. Failing to do so may result in an unrecoverable error and require redeploying vCenter Server.

Notes:

• Scripts should be run on each vCenter server that is failing security scans.
• There will be a short downtime while the VC services are restarted.
• Scripts will need to be re-run after any upgrades.
• RSA SecurID logins will cease to function and will not be able to be configured afterwards.