VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

1. Impacted Products (Under Evaluation)

• VMware Horizon

• VMware vCenter Server

• VMware HCX

• VMware NSX-T Data Center

• VMware Unified Access Gateway

• VMware WorkspaceOne Access

• VMware Identity Manager

• VMware vRealize Operations

• VMware vRealize Operations Cloud Proxy

• VMware vRealize Automation

• VMware vRealize Lifecycle Manager

• VMware Site Recovery Manager, vSphere Replication

• VMware Carbon Black Cloud Workload Appliance

• VMware Carbon Black EDR Server

• VMware Tanzu GemFire

• VMware Tanzu Greenplum

• VMware Tanzu Operations Manager

• VMware Tanzu Application Service for VMs

• VMware Tanzu Kubernetes Grid Integrated Edition

• VMware Tanzu Observability by Wavefront Nozzle

• Healthwatch for Tanzu Application Service

• Spring Cloud Services for VMware Tanzu

• Spring Cloud Gateway for VMware Tanzu

• Spring Cloud Gateway for Kubernetes

• API Portal for VMware Tanzu

• Single Sign-On for VMware Tanzu Application Service

• App Metrics

• VMware vCenter Cloud Gateway

• VMware vRealize Orchestrator

• VMware Cloud Foundation

• VMware Workspace ONE Access Connector

• VMware Horizon DaaS

• VMware Horizon Cloud Connector

• VMware NSX Data Center for vSphere

• VMware AppDefense Appliance

• VMware Cloud Director Object Storage Extension

• VMware Telco Cloud Operations

• VMware vRealize Log Insight

• VMware Tanzu Scheduler

• VMware Smart Assurance NCM

• VMware Smart Assurance SAM [Service Assurance Manager]

• VMware Integrated OpenStack

• VMware vRealize Business for Cloud

• (Additional products will be added)

2. Introduction

A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted VMware products.

This is an ongoing event, please check this advisory for frequent updates as they develop.

3. Problem Description

Description

Remote code execution vulnerability via Apache Log4j.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2021-44228 to this issue.

Known Attack Vectors

A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.

Resolution

Fixes for CVE-2021-44228 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

Workarounds

Workarounds for CVE-2021-44228 are documented in the ‘Workarounds’ column of the ‘Response Matrix’ below.

Additional Documentation

None.

Acknowledgements

None.

Notes

• Exploitation attempts in the wild have been confirmed by VMware.
• A supplemental blog post & frequently asked questions list was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0028-faq&gt;
• Unaffected VMware products can be referred to on the Knowledge Base article: <https://kb.vmware.com/s/article/87068&gt;