VMware affected with Critical Vulnerability in Apache Log4j CVE-2021-44228

Posted in VMWARE by On December 23, 2021. No comments

Let’s take a quick look at exactly what the vulnerability described in CVE 202144228 is. We will also look at a critical vulnerability in Apache Log4j. CVE202144228 is affected by VMWare and identifies products that are potentially vulnerable to this highly malicious vulnerability.

What is the cve-2021-44228 critical vulnerability?

The CVE202144228 vulnerability is also known as Log4Shell or LogJam. This is a remote execution vulnerability that affects the Apache Log4J library, especially all versions of Log4j from 2.0beta9 to 2.14.1 and later. What is this library? This is the library used as part of the Apache Logging Project. The downside is that this is one of the most popular and popular logging libraries used by Java developers.

Critical Vulnerability in Apache Log4j CVE-2021-44228 is VMware affected?

Unfortunately, like many large software development companies, VMware is affected by this vulnerability. According to the official VMSA-2021-0028.1, the following products are known as affected. However, keep in mind this list is in flux and may be extended:

  • VMware Horizon
  • VMware vCenter Server
  • VMware HCX
  • VMware NSX-T Data Center
  • VMware Unified Access Gateway
  • VMware WorkspaceOne Access
  • VMware Identity Manager
  • VMware vRealize Operations
  • VMware vRealize Operations Cloud Proxy
  • VMware vRealize Log Insight
  • VMware vRealize Automation
  • VMware vRealize Lifecycle Manager
  • VMware Telco Cloud Automation
  • VMware Site Recovery Manager
  • VMware Carbon Black Cloud Workload Appliance
  • VMware Carbon Black EDR Server
  • VMware Tanzu GemFire
  • VMware Tanzu Greenplum
  • VMware Tanzu Operations Manager
  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Kubernetes Grid Integrated Edition
  • VMware Tanzu Observability by Wavefront Nozzle
  • Healthwatch for Tanzu Application Service
  • Spring Cloud Services for VMware Tanzu
  • Spring Cloud Gateway for VMware Tanzu
  • Spring Cloud Gateway for Kubernetes
  • API Portal for VMware Tanzu
  • Single Sign-On for VMware Tanzu Application Service
  • App Metrics
  • VMware vCenter Cloud Gateway
  • VMware Tanzu SQL with MySQL for VMs
  • VMware vRealize Orchestrator
  • VMware Cloud Foundation
  • VMware Workspace ONE Access Connector
  • VMware Horizon DaaS
  • VMware Horizon Cloud Connector
  • (Additional products will be added)

Note the following workarounds listed in the official VMSA linked above, with the KB articles listed for the workarounds. Keep in mind the CVSSv3 rating is 10.0 (as bad as it can get).

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Horizon 8.x, 7.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2111, 7.13.1, 7.10.3 KB87073 None
VMware vCenter Server 7.x, 6.7.x, 6.5.x Virtual Appliance CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87081 None
VMware vCenter Server 6.7.x, 6.5.x Windows CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87096 None
VMware HCX 4.3 Any CVE-2021-44228, CVE-2021-45046 N/A N/A N/A N/A Not Affected
VMware HCX 4.2.x, 4.0.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 4.2.4 KB87104 None
VMware HCX 4.1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 4.1.0.3 KB87104 None
VMware NSX-T Data Center 3.1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 3.1.3.5 KB87086 None
VMware NSX-T Data Center 3.0.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 3.0.3.1 KB87086 None
VMware NSX-T Data Center 2.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2.5.3.4 KB87086 None
VMware Unified Access Gateway 21.x, 20.x, 3.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2111.1 KB87092 None
VMware Workspace ONE Access 21.x, 20.10.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical KB87183 KB87090 None
VMware Identity Manager 3.3.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical KB87185 KB87093 None
VMware vRealize Operations 8.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 8.6.2 KB87076 None
VMware vRealize Operations Cloud Proxy Any Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87080 None
VMware vRealize Automation 8.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87120 None
VMware vRealize Automation 7.6 Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87121 None
VMware vRealize Lifecycle Manager 8.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87097 None
VMware Carbon Black Cloud Workload Appliance 1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 1.1.2 UeX 109167 None
VMware Carbon Black EDR Server 7.6.0, 7.5.x, 7.4.x, 7.3.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 7.6.1 UeX 109183 None
VMware Site Recovery Manager, vSphere Replication 8.5, 8.4, 8.3 Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 8.5.0.2, 8.4.0.4, 8.3.1.5 KB87098 None
VMware Tanzu GemFire 9.10.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 9.10.13, 9.9.7 Article Number 13255 None
VMware Tanzu GemFire for VMs 1.14.x, 1.13.x, 1.10.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 1.14.2, 1.13.5, 1.12.4, 1.10.9 Article Number 13262 None
VMware Tanzu Greenplum Platform Extension Framework 6.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 6.2.2 Article Number 13256 None
Greenplum Text 3.4-3.8 Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 3.8.1 Article Number 13256 None
VMware Tanzu Operations Manager 2.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2.8.18, 2.9.25, 2.10.24 Article Number 13264 None
VMware Tanzu Application Service for VMs 2.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2.6.23, 2.7.44, 2.8.30, 2.9.30, 2.10.24, 2.11.12 and 2.12.5 Article Number 13265 None
VMware Tanzu Kubernetes Grid Integrated Edition 1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 1.13.1, 1.10.8 Article Number 13263 None
VMware Tanzu Observability by Wavefront Nozzle 3.x, 2.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 3.0.4 Workaround Pending None
Healthwatch for Tanzu Application Service 2.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2.1.8 Workaround Pending None
Healthwatch for Tanzu Application Service 1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 1.8.7 Workaround Pending None
Spring Cloud Services for VMware Tanzu 3.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 3.1.27 None None
Spring Cloud Services for VMware Tanzu 2.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2.1.10 None None
Spring Cloud Gateway for VMware Tanzu 1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 1.1.4, 1.0.19 Workaround Pending None
Spring Cloud Gateway for Kubernetes 1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 1.0.7 Workaround Pending None
API Portal for VMware Tanzu 1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 1.0.8 Workaround Pending None
Single Sign-On for VMware Tanzu Application Service 1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 1.14.6 Workaround Pending None
App Metrics 2.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2.1.2 Workaround Pending None
VMware vCenter Cloud Gateway 1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87081 None
VMware vRealize Orchestrator 8.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87120 None
VMware vRealize Orchestrator 7.6 Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87122 None
VMware Cloud Foundation 4.x, 3.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87095 None
VMware Workspace ONE Access Connector (VMware Identity Manager Connector) 21.08.0.1, 21.08, 20.10, 19.03.0.1 Windows CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical KB87184 KB87091 None
VMware Horizon DaaS 9.1.x, 9.0.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87101 None
VMware Horizon Cloud Connector 1.x, 2.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2.1.2 None None
VMware NSX Data Center for vSphere 6.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 6.4.12 KB87099 None
VMware AppDefense Appliance 2.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical N/A UeX 109180 None
VMware Cloud Director Object Storage Extension 2.1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2.1.0.1 KB87102 None
VMware Cloud Director Object Storage Extension 2.0.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2.0.0.3 KB87102 None
VMware Telco Cloud Operations 1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 1.4.0.1 KB87143 None
VMware vRealize Log Insight 8.2, 8.3, 8.4, 8.6 Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 8.6.2 KB87089 None
VMware Tanzu Scheduler 1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 1.6.1 Article Number 13280 None
VMware Smart Assurance NCM 10.1.6 Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87113 None
VMware Smart Assurance SAM [Service Assurance Manager] 10.1.0.x, 10.1.2, 10.1.5, Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87119 None
VMware Integrated OpenStack 7.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87118 None
VMware vRealize Business for Cloud 7.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87127 None
VMware vRealize Network Insight 5.3, 6.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87135 None
VMware Cloud Provider Lifecycle Manager 1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 1.2.0.1 KB87142 None
VMware SD-WAN VCO 4.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87158 None
VMware NSX-T Intelligence Appliance 1.2.x, 1.1.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87150 None
VMware Horizon Agents Installer 21.x.x, 20.x.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical KB87157 KB87157 None
VMware Tanzu Observability Proxy 10.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 10.12 Article Number 13272 None
VMware Smart Assurance M&R 6.8u5, 7.0u8, 7.2.0.1 Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87161 None
VMware Harbor Container Registry for TKGI 2.x Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical 2.4.1 Article Number 13263 None
VMware vRealize Operations Tenant App for VMware Cloud Director 2.5 Any CVE-2021-44228, CVE-2021-45046 10.0, 9.0 Critical Patch Pending KB87187 None

Official KBs to be informed

So, at the moment you can find everything you need on the next two KB:

Wait, is my Center version affected? Check by yourself but the answer is YES:

Related Posts