VMware Horizon
VMware vCenter Server
VMware HCX
VMware NSX-T Data Center
VMware Unified Access Gateway
VMware WorkspaceOne Access
VMware Identity Manager
VMware vRealize Operations
VMware vRealize Operations Cloud (Cloud Proxy)
VMware vRealize Automation
VMware vRealize Lifecycle Manager
VMware Site Recovery Manager, vSphere Replication
VMware Carbon Black Cloud Workload Appliance
VMware Carbon Black EDR Server
VMware Tanzu GemFire
VMware Tanzu GemFire for VMs
VMware Tanzu Greenplum Platform Extension Framework
Greenplum Text
VMware Tanzu Operations Manager
VMware Tanzu Application Service for VMs
VMware Tanzu Kubernetes Grid Integrated Edition
VMware Tanzu Observability by Wavefront Nozzle
Healthwatch for Tanzu Application Service
Spring Cloud Services for VMware Tanzu
Spring Cloud Gateway for VMware Tanzu
Spring Cloud Gateway for Kubernetes
API Portal for VMware Tanzu
Single Sign-On for VMware Tanzu Application Service
App Metrics
VMware vCenter Cloud Gateway
VMware vRealize Orchestrator
VMware Cloud Foundation
VMware Workspace ONE Access Connector
VMware Horizon DaaS
VMware Horizon Cloud Connector
VMware NSX Data Center for vSphere
VMware AppDefense Appliance
VMware Cloud Director Object Storage Extension
VMware Telco Cloud Operations
VMware vRealize Log Insight
VMware Tanzu Scheduler
VMware Smart Assurance NCM
VMware Smart Assurance SAM [Service Assurance Manager]
VMware Integrated OpenStack
VMware vRealize Business for Cloud
VMware vRealize Network Insight
VMware Cloud Provider Lifecycle Manager
VMware SD-WAN VCO
VMware NSX-T Intelligence Appliance
VMware Horizon Agents Installer
VMware Tanzu Observability Proxy
VMware Smart Assurance M&R
VMware Harbor Container Registry for TKGI
VMware vRealize Operations Tenant App for VMware Cloud Director
(Additional products will be added)
Critical vulnerabilities in Apache Log4j identified by CVE-2021-44228 and CVE-2021-45046 have been publicly disclosed which impact VMware products.
This is an ongoing event, please check this advisory for frequent updates as they develop.
Description
Multiple products impacted by remote code execution vulnerabilities via Apache Log4j (CVE-2021-44228, CVE-2021-45046).
Known Attack Vectors
A malicious actor with network access to an impacted VMware product may exploit these issues to gain full control of the target system.
Resolution
Fixes for CVE-2021-44228 and CVE-2021-45046 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds
Workarounds for CVE-2021-44228 and CVE-2021-45046 are documented in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Additional Documentation
None.
Acknowledgements
None.
Notes