VMSA-2021-0028:VMware Response to Apache Log4j Remote Code Execution Vulnerabilities

App Suite

24 more products

23618

12 April 2022

08 December 2021

CLOSED

CRITICAL

9.0-10.0

CVE-2021-44228,CVE-2021-45046

VMSA-2021-0028.13
9.0-10.0
2021-12-10
2022-04-14
CVE-2021-44228, CVE-2021-45046
VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046)
1. Impacted Products
  • VMware Horizon
  • VMware vCenter Server (vCenter Server) 
  • VMware HCX
  • VMware Unified Access Gateway
  • Workspace ONE Access
  • VMware Identity Manager (vIDM) 
  • VMware vRealize Operations
  • VMware vRealize Operations Cloud (Cloud Proxy)
  • VMware vRealize Automation (vRA)
  • VMware vRealize Lifecycle Manager
  • VMware Site Recovery Manager, vSphere Replication
  • VMware Carbon Black Cloud Workload Appliance
  • VMware Carbon Black EDR Server
  • VMware Tanzu GemFire
  • VMware Tanzu GemFire for VMs
  • VMware Tanzu Greenplum Platform Extension Framework
  • VMware Greenplum Text
  • VMware Tanzu Operations Manager
  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Kubernetes Grid Integrated Edition
  • VMware Tanzu Observability by Wavefront Nozzle
  • NSX-T Data Center
  • Healthwatch for Tanzu Application Service
  • Spring Cloud Services for VMware Tanzu
  • Spring Cloud Gateway for VMware Tanzu
  • Spring Cloud Gateway for Kubernetes
  • API Portal for VMware Tanzu
  • Single Sign-On for VMware Tanzu Application Service
  • App Metrics
  • VMware vCenter Cloud Gateway
  • VMware vRealize Orchestrator
  • VMware Cloud Foundation (Cloud Foundation) 
  • VMware Workspace ONE Access Connector (Access Connector)
  • VMware Horizon DaaS (Horizon DaaS)
  • VMware Horizon Cloud Connector
  • VMware NSX Data Center for vSphere
  • VMware AppDefense Appliance
  • VMware Cloud Director Object Storage Extension
  • VMware Telco Cloud Operations
  • VMware vRealize Log Insight
  • VMware Tanzu Scheduler
  • VMware Smart Assurance NCM
  • VMware Smart Assurance SAM (Service Assurance Manager)
  • VMware Integrated OpenStack
  • VMware vRealize Business for Cloud
  • VMware vRealize Network Insight
  • VMware Cloud Provider Lifecycle Manager 
  • VMware SD-WAN VCO
  • VMware NSX Intelligence
  • VMware Horizon Agents Installer
  • VMware Tanzu Observability Proxy
  • VMware Smart Assurance M&R
  • VMware Harbor Container Registry for TKGI
  • VMware Chargeback
  • VMware vRealize True Visibility Suite
  • VMware vRealize Operations Management Pack
2. Introduction

Critical vulnerabilities in Apache Log4j identified by CVE-2021-44228 and CVE-2021-45046 have been publicly disclosed which impact VMware products.

3. Problem Description

Description

Multiple products impacted by remote code execution vulnerabilities via Apache Log4j (CVE-2021-44228, CVE-2021-45046).

Known Attack Vectors

A malicious actor with network access to an impacted VMware product may exploit these issues to gain full control of the target system.

Resolution

Fixes for CVE-2021-44228 and CVE-2021-45046 are documented in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

Workarounds for CVE-2021-44228 and CVE-2021-45046 are documented in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

None.

Notes

  • 2021/12/10: Exploitation attempts in the wild of CVE-2021-44228 have been confirmed by VMware.
  • 2021/12/14: The Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds were not sufficient in removing all possible attack vectors. In addition, a new vulnerability identified by CVE-2021-45046 was published. In response, VMware has aligned with the new guidance and will be updating associated documentation with workarounds and fixes to address both vulnerabilities completely.
  • 2021/12/17: The Apache Software Foundation updated the severity of CVE-2021-45046 to 9.0, in response we have aligned our advisory.
  • 2022/01/07: A pair of new vulnerabilities identified by CVE-2021-45105 and CVE-2021-44832 have been disclosed by the Apache Software Foundation that impact log4j releases prior to 2.17.1 in non-default configurations. VMware has investigated and has found no evidence that these vulnerabilities are exploitable in VMware products. Going forward new log4j vulnerabilities will continue to be evaluated to determine severity and applicability to VMware products, but will not be referenced in this advisory. VMware products will update open source components (including log4j) to the latest available versions in future releases.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Horizon
8.x, 7.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vCenter Server
7.x
Virtual Appliance
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vCenter Server
6.7.x
Virtual Appliance
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vCenter Server
6.7.x
Windows
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vCenter Server
6.5.x
Virtual Appliance
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vCenter Server
6.5.x
Windows
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Cloud Foundation
4.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Cloud Foundation
3.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware HCX
4.3
Any
CVE-2021-44228, CVE-2021-45046
N/A
N/A
N/A
N/A
VMware HCX
4.2.x, 4.0.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware HCX
4.1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware NSX-T Data Center
3.1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware NSX-T Data Center
3.0.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware NSX-T Data Center
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Unified Access Gateway
21.x, 20.x, 3.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Workspace ONE Access
21.x, 20.10.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Identity Manager
3.3.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Site Recovery Manager, vSphere Replication
8.5.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Site Recovery Manager, vSphere Replication
8.4.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Site Recovery Manager, vSphere Replication
8.3.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vCenter Cloud Gateway
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Workspace ONE Access Connector (VMware Identity Manager Connector)
21.08.0.1, 21.08, 20.10, 19.03.0.1
Windows
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Horizon DaaS
9.1.x, 9.0.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Horizon Cloud Connector
1.x, 2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
None
VMware NSX Data Center for vSphere
6.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware AppDefense Appliance
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
N/A
None
VMware Cloud Director Object Storage Extension
2.1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Cloud Director Object Storage Extension
2.0.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Telco Cloud Operations
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Smart Assurance NCM
10.1.6.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Smart Assurance SAM [Service Assurance Manager]
10.1.5
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Smart Assurance SAM [Service Assurance Manager]
10.1.2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Smart Assurance SAM [Service Assurance Manager]
10.1.0.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Integrated OpenStack
7.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Cloud Provider Lifecycle Manager
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware SD-WAN VCO
4.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware NSX Intelligence
1.2.x, 1.1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Horizon Agents Installer
21.x.x, 20.x.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Smart Assurance M&R
9.6-6.8u5, 10.1.2-7.0u8, 10.1.5-7.2
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Carbon Black Cloud Workload Appliance
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Carbon Black EDR Server
7.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware vRealize Automation
8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize Automation
7.6
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize Business for Cloud
7.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize Lifecycle Manager
8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize Log Insight
8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize Network Insight
6.x, 5.3
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize Operations
8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize Operations Cloud (Cloud Proxy)
Any
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize Operations Tenant App for VMware Cloud Director
2.5
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize Orchestrator
8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize Orchestrator
7.6
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize True Visibility Suite
Any
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware vRealize Operations Management Pack
Any
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
App Metrics
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
None
API Portal for VMware Tanzu
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
None
Healthwatch for Tanzu Application Service
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
None
Healthwatch for Tanzu Application Service
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
None
Single Sign-On for VMware Tanzu Application Service
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
None
Spring Cloud Gateway for Kubernetes
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
None
Spring Cloud Gateway for VMware Tanzu
1.1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
None
Spring Cloud Gateway for VMware Tanzu
1.0.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
None
Spring Cloud Services for VMware Tanzu
3.x
Any
CVE-2021-44228, CVE-2021-45046
!0.0, 9.0
critical
None
None
Spring Cloud Services for VMware Tanzu
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
None
VMware Greenplum Text
3.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Harbor Container Registry for TKGI
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Application Service for VMs
2.12.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Application Service for VMs
2.11.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Application Service for VMs
2.10.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Application Service for VMs
2.9.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Application Service for VMs
2.8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Application Service for VMs
2.7.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu GemFire
9.10.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu GemFire
9.9.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu GemFire for VMs
1.14.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu GemFire for VMs
1.13.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu GemFire for VMs
1.12.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Greenplum Platform Extension Framework
6.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Kubernetes Grid Integrated Edition
1.13.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Kubernetes Grid Integrated Edition
1.10.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Observability by Wavefront Nozzle
3.x, 2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
None
VMware Tanzu Observability Proxy
10.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Operations Manager
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
VMware Tanzu Scheduler
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
None
4. References
5. Change Log

2021-12-10: VMSA-2021-0028
Initial security advisory.

 

2021-12-11: VMSA-2021-0028.1

Updated advisory with workaround information for multiple products including vCenter Server Appliance, vRealize Operations, Horizon, vRealize Log Insight, Unified Access Gateway.

 

2021-12-13: VMSA-2021-0028.2

Revised advisory with updates to multiple products.

 

2021-12-15: VMSA-2021-0028.3

Revised advisory with updates to multiple products. In addition, added CVE-2021-45046 information and noted alignment with new Apache Software Foundation guidance. 

 

2021-12-17: VMSA-2021-0028.4

Revised advisory with updates to multiple products.

 

2021-12-20: VMSA-2021-0028.5

Added a note on current CVE-2021-45105 investigations.

 

2021-12-21: VMSA-2021-0028.6

Revised advisory with updates to multiple products, including vRealize Operations and vRealize Log Insight.

 

2021-12-22: VMSA-2021-0028.7

Revised advisory with updates to multiple products, including HCX.

 

2021-12-24: VMSA-2021-0028.8

Revised advisory with updates to multiple products, including NSX-T, TKGI and Greenplum.

 

2022-01-19: VMSA-2021-0028.9

Revised advisory with updates to multiple products, including vRealize Automation, vRealize Orchestrator, NSX Intelligence, and vRealize Lifecycle Manager.

 

2022-01-27: VMSA-2021-0028.10

Revised advisory with updates to multiple products, including vCenter Server.

 

2022-02-08: VMSA-2021-0028.11

Revised advisory with updates to vCenter Server 6.7.x & 6.5.x.

 

2022-02-10: VMSA-2021-0028.12

Revised advisory with updates to VMware Cloud Foundation 4.x.

 

2022-02-14: VMSA-2021-0028.13

Revised advisory with updates to VMware Cloud Foundation 3.x.

 

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

[email protected]  

[email protected]  

[email protected] 

 

E-mail: [email protected]

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2021 VMware Inc. All rights reserved.