VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)


##### **1\. Impacted Products (Under Evaluation)** * VMware Horizon * VMware vCenter Server * VMware HCX * VMware NSX-T Data Center * VMware Unified Access Gateway * VMware WorkspaceOne Access * VMware Identity Manager * VMware vRealize Operations * VMware vRealize Operations Cloud (Cloud Proxy) * VMware vRealize Automation * VMware vRealize Lifecycle Manager * VMware Site Recovery Manager, vSphere Replication * VMware Carbon Black Cloud Workload Appliance * VMware Carbon Black EDR Server * VMware Tanzu GemFire * VMware Tanzu GemFire for VMs * VMware Tanzu Greenplum Platform Extension Framework * Greenplum Text * VMware Tanzu Operations Manager * VMware Tanzu Application Service for VMs * VMware Tanzu Kubernetes Grid Integrated Edition * VMware Tanzu Observability by Wavefront Nozzle * Healthwatch for Tanzu Application Service * Spring Cloud Services for VMware Tanzu * Spring Cloud Gateway for VMware Tanzu * Spring Cloud Gateway for Kubernetes * API Portal for VMware Tanzu * Single Sign-On for VMware Tanzu Application Service * App Metrics * VMware vCenter Cloud Gateway * VMware vRealize Orchestrator * VMware Cloud Foundation * VMware Workspace ONE Access Connector * VMware Horizon DaaS * VMware Horizon Cloud Connector * VMware NSX Data Center for vSphere * VMware AppDefense Appliance * VMware Cloud Director Object Storage Extension * VMware Telco Cloud Operations * VMware vRealize Log Insight * VMware Tanzu Scheduler * VMware Smart Assurance NCM * VMware Smart Assurance SAM [Service Assurance Manager] * VMware Integrated OpenStack * VMware vRealize Business for Cloud * VMware vRealize Network Insight * VMware Cloud Provider Lifecycle Manager * VMware SD-WAN VCO * VMware NSX-T Intelligence Appliance * VMware Horizon Agents Installer * VMware Tanzu Observability Proxy * VMware Smart Assurance M&R * VMware Harbor Container Registry for TKGI * VMware vRealize Operations Tenant App for VMware Cloud Director * (Additional products will be added) ##### **2\. Introduction** Critical vulnerabilities in Apache Log4j identified by CVE-2021-44228 and CVE-2021-45046 have been publicly disclosed which impact VMware products. This is an ongoing event, please check this advisory for frequent updates as they develop. ##### **3\. Problem Description** **Description** Multiple products impacted by remote code execution vulnerabilities via Apache Log4j (CVE-2021-44228, CVE-2021-45046). **Known Attack Vectors** A malicious actor with network access to an impacted VMware product may exploit these issues to gain full control of the target system. **Resolution** Fixes for CVE-2021-44228 and CVE-2021-45046 are documented in the 'Fixed Version' column of the 'Response Matrix' below. **Workarounds** Workarounds for CVE-2021-44228 and CVE-2021-45046 are documented in the 'Workarounds' column of the 'Response Matrix' below. **Additional Documentation** None. **Acknowledgements** None. **Notes** * Exploitation attempts in the wild of CVE-2021-44228 have been confirmed by VMware. * A supplemental blog post & frequently asked questions list was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0028-faq> * Unaffected VMware products can be referred to on the Knowledge Base article: <https://kb.vmware.com/s/article/87068> * On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds were not sufficient in removing all possible attack vectors. In addition, a new vulnerability identified by CVE-2021-45046 was published. In response, VMware has aligned with the new guidance and will be updating associated documentation with workarounds and fixes to address both vulnerabilities completely. * On December 17, 2021 the Apache Software Foundation updated the severity of CVE-2021-45046 to 9.0, in response we have aligned our advisory. * A new vulnerability identified by CVE-2021-45105 [has been disclosed by the Apache Software Foundation](<https://logging.apache.org/log4j/2.x/security.html>) that impacts log4j releases prior to 2.17 in non-default configurations. Shortly after this announcement VMware began investigating the potential impact of this vulnerability. At the time of this update, we have not found a valid attack vector to exploit CVE-2021-45105 in any VMware products, but investigations will continue. VMware will update log4j to 2.17 in future releases of our products.

Affected Software

CPE Name Name Version
vmware horizon 8.x, 7.x
vmware vcenter server 7.x, 6.7.x, 6.5.x
vmware vcenter server 6.7.x, 6.5.x
vmware hcx 4.2.3
vmware hcx
vmware nsx-t data center 3.x, 2.x
vmware unified access gateway 21.x, 20.x, 3.x
vmware workspace one access 21.x, 20.10.x
vmware identity manager 3.3.x
vmware vrealize operations 8.x
vmware vrealize operations cloud proxy Any
vmware vrealize automation 8.x
vmware vrealize automation 7.6
vmware vrealize lifecycle manager 8.x
vmware carbon black cloud workload appliance 1.1.1
vmware carbon black edr server 7.6.0
vmware site recovery manager, vsphere replication 8.3, 8.4, 8.5
vmware tanzu gemfire 1.14.1, 1.13.4
vmware tanzu greenplum 6.x
vmware tanzu operations manager 2.10.23
vmware tanzu application service for vms 2.7.42, 2.10.22, 2.11.10, 2.12.3
vmware tanzu kubernetes grid integrated edition 1.x
vmware tanzu observability by wavefront nozzle 3.0.3
healthwatch for tanzu application service 2.1.7
healthwatch for tanzu application service 1.8.6
spring cloud services for vmware tanzu 3.1.26
spring cloud gateway for vmware tanzu 1.1.3
spring cloud gateway for kubernetes 1.x
api portal for vmware tanzu 1.0.7
single sign-on for vmware tanzu application service 1.14.5
app metrics 2.1.1
vmware vcenter cloud gateway 1.x
vmware vrealize orchestrator 8.x
vmware vrealize orchestrator 7.6
vmware cloud foundation 4.x, 3.x
vmware workspace one access connector (vmware identity manager connector) 21.x, 20.10.x,
vmware horizon daas 9.1.x, 9.0.x
vmware horizon cloud connector 2.1.1
vmware nsx data center for vsphere 6.x
vmware appdefense appliance 2.x
vmware cloud director object storage extension
vmware cloud director object storage extension
vmware telco cloud operations 1.x
vmware vrealize log insight 8.2, 8.3, 8.4, 8.6
vmware tanzu scheduler 1.x
vmware smart assurance ncm 10.1.6
vmware smart assurance sam [service assurance manager] 10.1.2, 10.1.5
vmware integrated openstack 7.x
vmware vrealize business for cloud 7.x
vmware vrealize network insight 5.3, 6.x