VMware Horizon
VMware vCenter Server
VMware HCX
VMware NSX-T Data Center
VMware Unified Access Gateway
VMware WorkspaceOne Access
VMware Identity Manager
VMware vRealize Operations
VMware vRealize Operations Cloud Proxy
VMware vRealize Automation
VMware vRealize Lifecycle Manager
VMware Site Recovery Manager, vSphere Replication
VMware Carbon Black Cloud Workload Appliance
VMware Carbon Black EDR Server
VMware Tanzu GemFire
VMware Tanzu Greenplum
VMware Tanzu Operations Manager
VMware Tanzu Application Service for VMs
VMware Tanzu Kubernetes Grid Integrated Edition
VMware Tanzu Observability by Wavefront Nozzle
Healthwatch for Tanzu Application Service
Spring Cloud Services for VMware Tanzu
Spring Cloud Gateway for VMware Tanzu
Spring Cloud Gateway for Kubernetes
API Portal for VMware Tanzu
Single Sign-On for VMware Tanzu Application Service
App Metrics
VMware vCenter Cloud Gateway
VMware vRealize Orchestrator
VMware Cloud Foundation
VMware Workspace ONE Access Connector
VMware Horizon DaaS
VMware Horizon Cloud Connector
VMware NSX Data Center for vSphere
VMware AppDefense Appliance
VMware Cloud Director Object Storage Extension
VMware Telco Cloud Operations
VMware vRealize Log Insight
VMware Tanzu Scheduler
VMware Smart Assurance NCM
VMware Smart Assurance SAM [Service Assurance Manager]
VMware Integrated OpenStack
VMware vRealize Business for Cloud
(Additional products will be added)
A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted VMware products.
This is an ongoing event, please check this advisory for frequent updates as they develop.
Description
Remote code execution vulnerability via Apache Log4j.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2021-44228 to this issue.
Known Attack Vectors
A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.
Resolution
Fixes for CVE-2021-44228 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds
Workarounds for CVE-2021-44228 are documented in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Additional Documentation
None.
Acknowledgements
None.
Notes