VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046). Customers should be well aware of the log4j vulnerability. Whilst this issue has been around since 2021, VMware have been actively creating workarounds and patches. As previouisly mentioned, customers are advised to issue these workarounds immediately.
If customers require assistance from Sebae, please get in touch with us.
Updated On: 27/01/2022
CVE-2021-44228, CVE-2021-45046
1. Impacted Products
- VMware Horizon
- VMware vCenter Server
- VMware HCX
- VMware NSX-T Data Center
- VMware Unified Access Gateway
- VMware WorkspaceOne Access
- VMware Identity Manager
- VMware vRealize Operations
- VMware vRealize Operations Cloud (Cloud Proxy)
- VMware vRealize Automation
- VMware vRealize Lifecycle Manager
- VMware Site Recovery Manager, vSphere Replication
- VMware Carbon Black Cloud Workload Appliance
- VMware Carbon Black EDR Server
- VMware Tanzu GemFire
- VMware Tanzu GemFire for VMs
- VMware Tanzu Greenplum Platform Extension Framework
- VMware Greenplum Text
- VMware Tanzu Operations Manager
- VMware Tanzu Application Service for VMs
- VMware Tanzu Kubernetes Grid Integrated Edition
- VMware Tanzu Observability by Wavefront Nozzle
- Healthwatch for Tanzu Application Service
- Spring Cloud Services for VMware Tanzu
- Spring Cloud Gateway for VMware Tanzu
- Spring Cloud Gateway for Kubernetes
- API Portal for VMware Tanzu
- Single Sign-On for VMware Tanzu Application Service
- App Metrics
- VMware vCenter Cloud Gateway
- VMware vRealize Orchestrator
- VMware Cloud Foundation
- VMware Workspace ONE Access Connector
- VMware Horizon DaaS
- VMware Horizon Cloud Connector
- VMware NSX Data Center for vSphere
- VMware AppDefense Appliance
- VMware Cloud Director Object Storage Extension
- VMware Telco Cloud Operations
- VMware vRealize Log Insight
- VMware Tanzu Scheduler
- VMware Smart Assurance NCM
- VMware Smart Assurance SAM [Service Assurance Manager]
- VMware Integrated OpenStack
- VMware vRealize Business for Cloud
- VMware vRealize Network Insight
- VMware Cloud Provider Lifecycle Manager
- VMware SD-WAN VCO
- VMware NSX Intelligence
- VMware Horizon Agents Installer
- VMware Tanzu Observability Proxy
- VMware Smart Assurance M&R
- VMware Harbor Container Registry for TKGI
- VMware vRealize Operations Tenant App for VMware Cloud Director
2. Introduction
Critical vulnerabilities in Apache Log4j identified by CVE-2021-44228 and CVE-2021-45046 have been publicly disclosed which impact VMware products.
3. Problem Description
Description
Multiple products impacted by remote code execution vulnerabilities via Apache Log4j (CVE-2021-44228, CVE-2021-45046).
Known Attack Vectors
A malicious actor with network access to an impacted VMware product may exploit these issues to gain full control of the target system.
Resolution
Fixes for CVE-2021-44228 and CVE-2021-45046 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds
Workarounds for CVE-2021-44228 and CVE-2021-45046 are documented in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Additional Documentation
None.
Acknowledgements
None.
Notes
- 2021/12/10: Exploitation attempts in the wild of CVE-2021-44228 have been confirmed by VMware.
- 2021/12/11: A supplemental blog post & frequently asked questions list was created for additional clarification. Please see: https://via.vmw.com/vmsa-2021-0028-faq
- 2021/12/13: Unaffected VMware products can be referred to on the Knowledge Base article: https://kb.vmware.com/s/article/87068
- 2021/12/14: The Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds were not sufficient in removing all possible attack vectors. In addition, a new vulnerability identified by CVE-2021-45046 was published. In response, VMware has aligned with the new guidance and will be updating associated documentation with workarounds and fixes to address both vulnerabilities completely.
- 2021/12/17: The Apache Software Foundation updated the severity of CVE-2021-45046 to 9.0, in response we have aligned our advisory.
- 2022/01/07: A pair of new vulnerabilities identified by CVE-2021-45105 and CVE-2021-44832 have been disclosed by the Apache Software Foundation that impact log4j releases prior to 2.17.1 in non-default configurations. VMware has investigated and has found no evidence that these vulnerabilities are exploitable in VMware products. Going forward new log4j vulnerabilities will continue to be evaluated to determine severity and applicability to VMware products, but will not be referenced in this advisory. VMware products will update open source components (including log4j) to the latest available versions in future releases.
Response Matrix:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware Horizon | 8.x, 7.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | KB87073 | KB87073 | None |
VMware vCenter Server | 7.x | Virtual Appliance | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 7.0U3c | KB87081 | None |
VMware vCenter Server | 6.x | Virtual Appliance | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87081 | None |
VMware vCenter Server | 6.7.x, 6.5.x | Windows | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87096 | None |
VMware HCX | 4.3 | Any | CVE-2021-44228, CVE-2021-45046 | N/A | N/A | N/A | N/A | Not Affected |
VMware HCX | 4.2.x, 4.0.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 4.2.4 | KB87104 | None |
VMware HCX | 4.1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 4.1.0.3 | KB87104 | None |
VMware NSX-T Data Center | 3.1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 3.1.3.5 | KB87086 | None |
VMware NSX-T Data Center | 3.0.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 3.0.3.1 | KB87086 | None |
VMware NSX-T Data Center | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.5.3.4 | KB87086 | None |
VMware Unified Access Gateway | 21.x, 20.x, 3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2111.1 | KB87092 | None |
VMware Workspace ONE Access | 21.x, 20.10.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | KB87183 | KB87090 | None |
VMware Identity Manager | 3.3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 3.3.6 | KB87093 | None |
VMware Site Recovery Manager, vSphere Replication | 8.5.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 8.5.0.2 | KB87098 | None |
VMware Site Recovery Manager, vSphere Replication | 8.4.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 8.4.0.4 | KB87098 | None |
VMware Site Recovery Manager, vSphere Replication | 8.3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 8.3.1.5 | KB87098 | None |
VMware Tanzu GemFire | 9.10.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 9.10.13 | Article Number 13255 | None |
VMware Tanzu GemFire | 9.9.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 9.9.7 | Article Number 13255 | None |
VMware Tanzu GemFire for VMs | 1.14.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.14.2 | Article Number 13262 | None |
VMware Tanzu GemFire for VMs | 1.13.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.13.5 | Article Number 13262 | None |
VMware Tanzu GemFire for VMs | 1.12.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.12.4 | Article Numer 13262 | None |
VMware Tanzu GemFIre for VMs | 1.10.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.10.9 | Article Number 13262 | None |
VMware Tanzu Greenplum Platform Extension Framework | 6.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 6.2.2 | Article Number 13256 | None |
VMware Greenplum Text | 3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 3.8.1 | Article Number 13256 | None |
VMware Tanzu Operations Manager | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.10.25 | Article Number 13264 | None |
VMware Tanzu Application Service for VMs | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.6.23, 2.7.44, 2.8.30, 2.9.30, 2.10.24, 2.11.12 and 2.12.5 | Article Number 13265 | None |
VMware Tanzu Kubernetes Grid Integrated Edition | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.13.1, 1.10.8 | Article Number 13263 | None |
VMware Tanzu Observability by Wavefront Nozzle | 3.x, 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 3.0.4 | Workaround Pending | None |
Healthwatch for Tanzu Application Service | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.1.8 | Workaround Pending | None |
Healthwatch for Tanzu Application Service | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.8.7 | Workaround Pending | None |
Spring Cloud Services for VMware Tanzu | 3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 3.1.27 | None | None |
Spring Cloud Services for VMware Tanzu | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.1.10 | None | None |
Spring Cloud Gateway for VMware Tanzu | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.1.4, 1.0.19 | Workaround Pending | None |
Spring Cloud Gateway for Kubernetes | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.0.7 | Workaround Pending | None |
API Portal for VMware Tanzu | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.0.8 | Workaround Pending | None |
Single Sign-On for VMware Tanzu Application Service | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.14.6 | Workaround Pending | None |
App Metrics | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.1.2 | Workaround Pending | None |
VMware vCenter Cloud Gateway | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87081 | None |
VMware Cloud Foundation | 4.x, 3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87095 | None |
VMware Workspace ONE Access Connector (VMware Identity Manager Connector) | 21.08.0.1, 21.08, 20.10, 19.03.0.1 | Windows | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | KB87184 | KB87091 | None |
VMware Horizon DaaS | 9.1.x, 9.0.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | KB87101 | KB87101 | None |
VMware Horizon Cloud Connector | 1.x, 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.1.2 | None | None |
VMware NSX Data Center for vSphere | 6.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 6.4.12 | KB87099 | None |
VMware AppDefense Appliance | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | N/A | UeX 109180 | None |
VMware Cloud Director Object Storage Extension | 2.1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.1.0.1 | KB87102 | None |
VMware Cloud Director Object Storage Extension | 2.0.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.0.0.3 | KB87102 | None |
VMware Telco Cloud Operations | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.4.0.1 | KB87143 | None |
VMware Tanzu Scheduler | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.6.1 | Article Number 13280 | None |
VMware Smart Assurance NCM | 10.1.6 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87113 | None |
VMware Smart Assurance SAM [Service Assurance Manager] | 10.1.0.x, 10.1.2, 10.1.5, | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87119 | None |
VMware Integrated OpenStack | 7.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 7.2 | KB87118 | None |
VMware Cloud Provider Lifecycle Manager | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.2.0.1 | KB87142 | None |
VMware SD-WAN VCO | 4.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | KB87158 | KB87158 | None |
VMware NSX Intelligence | 1.2.x, 1.1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.2.1.1 | KB87150 | None |
VMware Horizon Agents Installer | 21.x.x, 20.x.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | KB87157 | KB87157 | None |
VMware Tanzu Observability Proxy | 10.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 10.12 | Article Number 13272 | None |
VMware Smart Assurance M&R | 6.8u5, 7.0u8, 7.2.0.1 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87161 | None |
VMware Harbor Container Registry for TKGI | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.4.1 | Article Number 13263 | None |
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware Carbon Black Cloud Workload Appliance | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 1.1.2 | UeX 190167 | None |
VMware Carbon Black EDR Server | 7.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 7.6.1 | UeX 109183 | None |
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
vRealize Automation | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 8.6.2 | KB87120 | None |
vRealize Automation | 7.6 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87121 | None |
VMware vRealize Business for Cloud | 7.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87127 | None |
VMware vRealize Lifecycle Manager | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 8.6.2 | KB87097 | None |
VMware vRealize Log Insight | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 8.6.2 | KB87089 | None |
VMware vRealize Network Insight | 6.x, 5.3 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 6.5 | KB87135 | None |
VMware vRealize Operations | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | KB87076 | KB87076 | None |
VMware vRealize Operations Cloud (Cloud Proxy) | Any | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 8.6.2 | KB87080 | None |
VMware vRealize Operations Tenant App for VMware Cloud Director | 2.5 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 2.5.1 | KB87187 | None |
VMware vRealize Orchestrator | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | 8.6.2 | KB87120 | None |
VMware vRealize Orchestrator | 7.6 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 9.0 | Critical | Patch Pending | KB87122 | None |
4. References
FIRST CVSSv3 Calculator:
CVE-2021-44228: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)
CVE-2021-45046: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (9.0)
Mitre CVE Dictionary Links:
5. Change Log
2021-12-10: VMSA-2021-0028
Initial security advisory.
2021-12-11: VMSA-2021-0028.1
Updated advisory with workaround information for multiple products including vCenter Server Appliance, vRealize Operations, Horizon, vRealize Log Insight, Unified Access Gateway.
2021-12-13: VMSA-2021-0028.2
Revised advisory with updates to multiple products.
2021-12-15: VMSA-2021-0028.3
Revised advisory with updates to multiple products. In addition, added CVE-2021-45046 information and noted alignment with new Apache Software Foundation guidance.
2021-12-17: VMSA-2021-0028.4
Revised advisory with updates to multiple products.
2021-12-20: VMSA-2021-0028.5
Added a note on current CVE-2021-45105 investigations.
2021-12-21: VMSA-2021-0028.6
Revised advisory with updates to multiple products, including vRealize Operations and vRealize Log Insight.
2021-12-22: VMSA-2021-0028.7
Revised advisory with updates to multiple products, including HCX.
2021-12-24: VMSA-2021-0028.8
Revised advisory with updates to multiple products, including NSX-T, TKGI and Greenplum.
2022-01-19: VMSA-2021-0028.9
Revised advisory with updates to multiple products, including vRealize Automation, vRealize Orchestrator, NSX Intelligence, and vRealize Lifecycle Manager.
2022-01-27: VMSA-2022-0028.10
Revised advisory with updates to multiple products, including vCenter Server.