Let’s take a quick look at exactly what the vulnerability described in CVE 202144228 is. We will also look at a critical vulnerability in Apache Log4j. CVE202144228 is affected by VMWare and identifies products that are potentially vulnerable to this highly malicious vulnerability.
What is the cve-2021-44228 critical vulnerability?
The CVE202144228 vulnerability is also known as Log4Shell or LogJam. This is a remote execution vulnerability that affects the Apache Log4J library, especially all versions of Log4j from 2.0beta9 to 2.14.1 and later. What is this library? This is the library used as part of the Apache Logging Project. The downside is that this is one of the most popular and popular logging libraries used by Java developers.
Critical Vulnerability in Apache Log4j CVE-2021-44228 is VMware affected?
Unfortunately, like many large software development companies, VMware is affected by this vulnerability. According to the official VMSA-2021-0028.1, the following products are known as affected. However, keep in mind this list is in flux and may be extended:
- VMware Horizon
- VMware vCenter Server
- VMware HCX
- VMware NSX-T Data Center
- VMware Unified Access Gateway
- VMware WorkspaceOne Access
- VMware Identity Manager
- VMware vRealize Operations
- VMware vRealize Operations Cloud Proxy
- VMware vRealize Log Insight
- VMware vRealize Automation
- VMware vRealize Lifecycle Manager
- VMware Telco Cloud Automation
- VMware Site Recovery Manager
- VMware Carbon Black Cloud Workload Appliance
- VMware Carbon Black EDR Server
- VMware Tanzu GemFire
- VMware Tanzu Greenplum
- VMware Tanzu Operations Manager
- VMware Tanzu Application Service for VMs
- VMware Tanzu Kubernetes Grid Integrated Edition
- VMware Tanzu Observability by Wavefront Nozzle
- Healthwatch for Tanzu Application Service
- Spring Cloud Services for VMware Tanzu
- Spring Cloud Gateway for VMware Tanzu
- Spring Cloud Gateway for Kubernetes
- API Portal for VMware Tanzu
- Single Sign-On for VMware Tanzu Application Service
- App Metrics
- VMware vCenter Cloud Gateway
- VMware Tanzu SQL with MySQL for VMs
- VMware vRealize Orchestrator
- VMware Cloud Foundation
- VMware Workspace ONE Access Connector
- VMware Horizon DaaS
- VMware Horizon Cloud Connector
- (Additional products will be added)
Note the following workarounds listed in the official VMSA linked above, with the KB articles listed for the workarounds. Keep in mind the CVSSv3 rating is 10.0 (as bad as it can get).
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| VMware Horizon | 8.x, 7.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2111, 7.13.1, 7.10.3 | KB87073 | None |
| VMware vCenter Server | 7.x, 6.7.x, 6.5.x | Virtual Appliance | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87081 | None |
| VMware vCenter Server | 6.7.x, 6.5.x | Windows | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87096 | None |
| VMware HCX | 4.3 | Any | CVE-2021-44228, CVE-2021-45046 | N/A | N/A | N/A | N/A | Not Affected |
| VMware HCX | 4.2.x, 4.0.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 4.2.4 | KB87104 | None |
| VMware HCX | 4.1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 4.1.0.3 | KB87104 | None |
| VMware NSX-T Data Center | 3.1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 3.1.3.5 | KB87086 | None |
| VMware NSX-T Data Center | 3.0.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 3.0.3.1 | KB87086 | None |
| VMware NSX-T Data Center | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.5.3.4 | KB87086 | None |
| VMware Unified Access Gateway | 21.x, 20.x, 3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2111.1 | KB87092 | None |
| VMware Workspace ONE Access | 21.x, 20.10.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | KB87183 | KB87090 | None |
| VMware Identity Manager | 3.3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | KB87185 | KB87093 | None |
| VMware vRealize Operations | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 8.6.2 | KB87076 | None |
| VMware vRealize Operations Cloud Proxy | Any | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87080 | None |
| VMware vRealize Automation | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87120 | None |
| VMware vRealize Automation | 7.6 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87121 | None |
| VMware vRealize Lifecycle Manager | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87097 | None |
| VMware Carbon Black Cloud Workload Appliance | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.1.2 | UeX 109167 | None |
| VMware Carbon Black EDR Server | 7.6.0, 7.5.x, 7.4.x, 7.3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 7.6.1 | UeX 109183 | None |
| VMware Site Recovery Manager, vSphere Replication | 8.5, 8.4, 8.3 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 8.5.0.2, 8.4.0.4, 8.3.1.5 | KB87098 | None |
| VMware Tanzu GemFire | 9.10.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 9.10.13, 9.9.7 | Article Number 13255 | None |
| VMware Tanzu GemFire for VMs | 1.14.x, 1.13.x, 1.10.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.14.2, 1.13.5, 1.12.4, 1.10.9 | Article Number 13262 | None |
| VMware Tanzu Greenplum Platform Extension Framework | 6.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 6.2.2 | Article Number 13256 | None |
| Greenplum Text | 3.4-3.8 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 3.8.1 | Article Number 13256 | None |
| VMware Tanzu Operations Manager | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.8.18, 2.9.25, 2.10.24 | Article Number 13264 | None |
| VMware Tanzu Application Service for VMs | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.6.23, 2.7.44, 2.8.30, 2.9.30, 2.10.24, 2.11.12 and 2.12.5 | Article Number 13265 | None |
| VMware Tanzu Kubernetes Grid Integrated Edition | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.13.1, 1.10.8 | Article Number 13263 | None |
| VMware Tanzu Observability by Wavefront Nozzle | 3.x, 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 3.0.4 | Workaround Pending | None |
| Healthwatch for Tanzu Application Service | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.1.8 | Workaround Pending | None |
| Healthwatch for Tanzu Application Service | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.8.7 | Workaround Pending | None |
| Spring Cloud Services for VMware Tanzu | 3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 3.1.27 | None | None |
| Spring Cloud Services for VMware Tanzu | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.1.10 | None | None |
| Spring Cloud Gateway for VMware Tanzu | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.1.4, 1.0.19 | Workaround Pending | None |
| Spring Cloud Gateway for Kubernetes | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.0.7 | Workaround Pending | None |
| API Portal for VMware Tanzu | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.0.8 | Workaround Pending | None |
| Single Sign-On for VMware Tanzu Application Service | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.14.6 | Workaround Pending | None |
| App Metrics | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.1.2 | Workaround Pending | None |
| VMware vCenter Cloud Gateway | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87081 | None |
| VMware vRealize Orchestrator | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87120 | None |
| VMware vRealize Orchestrator | 7.6 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87122 | None |
| VMware Cloud Foundation | 4.x, 3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87095 | None |
| VMware Workspace ONE Access Connector (VMware Identity Manager Connector) | 21.08.0.1, 21.08, 20.10, 19.03.0.1 | Windows | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | KB87184 | KB87091 | None |
| VMware Horizon DaaS | 9.1.x, 9.0.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87101 | None |
| VMware Horizon Cloud Connector | 1.x, 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.1.2 | None | None |
| VMware NSX Data Center for vSphere | 6.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 6.4.12 | KB87099 | None |
| VMware AppDefense Appliance | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | N/A | UeX 109180 | None |
| VMware Cloud Director Object Storage Extension | 2.1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.1.0.1 | KB87102 | None |
| VMware Cloud Director Object Storage Extension | 2.0.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.0.0.3 | KB87102 | None |
| VMware Telco Cloud Operations | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.4.0.1 | KB87143 | None |
| VMware vRealize Log Insight | 8.2, 8.3, 8.4, 8.6 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 8.6.2 | KB87089 | None |
| VMware Tanzu Scheduler | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.6.1 | Article Number 13280 | None |
| VMware Smart Assurance NCM | 10.1.6 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87113 | None |
| VMware Smart Assurance SAM [Service Assurance Manager] | 10.1.0.x, 10.1.2, 10.1.5, | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87119 | None |
| VMware Integrated OpenStack | 7.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87118 | None |
| VMware vRealize Business for Cloud | 7.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87127 | None |
| VMware vRealize Network Insight | 5.3, 6.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87135 | None |
| VMware Cloud Provider Lifecycle Manager | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.2.0.1 | KB87142 | None |
| VMware SD-WAN VCO | 4.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87158 | None |
| VMware NSX-T Intelligence Appliance | 1.2.x, 1.1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87150 | None |
| VMware Horizon Agents Installer | 21.x.x, 20.x.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | KB87157 | KB87157 | None |
| VMware Tanzu Observability Proxy | 10.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 10.12 | Article Number 13272 | None |
| VMware Smart Assurance M&R | 6.8u5, 7.0u8, 7.2.0.1 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87161 | None |
| VMware Harbor Container Registry for TKGI | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.4.1 | Article Number 13263 | None |
| VMware vRealize Operations Tenant App for VMware Cloud Director | 2.5 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87187 | None |
Official KBs to be informed
So, at the moment you can find everything you need on the next two KB:
- https://kb.vmware.com/s/article/87081
- https://kb.vmware.com/s/article/87088
- https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Wait, is my Center version affected? Check by yourself but the answer is YES:
