Security

Critical Vulnerability in Apache Log4j CVE-2021-44228 is VMware affected?

Well, unfortunately, it seems like we are ending the year on a dangerous critical vulnerability. Just a couple of days ago, a critical vulnerability in Apache Log4j identified by CVE-2021-44228 was posted. It is a bad one. We are going to take a brief look at what the vulnerability described in CVE-2021-44228 is exactly. Also, we will look at critical vulnerability in Apache Log4j CVE-2021-44228 is VMware affected to see what if any products may be vulnerable to this extremely nasty vulnerability.

Critical Vulnerability in Apache Log4j CVE 2021 44228
Critical Vulnerability in Apache Log4j CVE 2021 44228

What is the cve-2021-44228 critical vulnerability?

The CVE-2021-44228 vulnerability is also referred to as Log4Shell or LogJam. It is a remote execution vulnerability that affects Apache Log4J library, specifically all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.14.1. What is this library? It is a library that is used as part of the Apache Logging Project. The bad thing is this is one of the most common and popular logging libraries used by Java developers.

It includes libraries that are used by large software development companies that are used across the enterprise, including Amazon, Apple, Cisco, Cloudflare, Tesla, Twitter, and yes, VMware.

The bad thing is this vulnerability is literally everywhere and a patched version of code is not available as of yet to all products that are using it, which is dangerous. Most likely due to its popularity and prevalence everywhere, it will be actively exploited over the next few days by attackers.

The nature of what it allows attackers to do is extremely bad as well. If attackers manage to exploit it on an affected server, they can gain the ability to execute arbitrary code and take full control of a system. Also alarming, it is extremely easy to exploit.

Attackers only need to write just one string to the log. After the string is written, they can then upload malicious code to the application. The reason for this is the compromised “message lookup substitution” function.

Also, there are already working concepts available on the Internet for this vulnerability. See https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/

The easiest workaround is to install the most recent version of the Apache Log4j library, 2.15.0. However, the problem is, most enterprises are using commercially available solutions and products that are using the Log4j library. It means you can’t just replace the library out of band (or at least not without official guidance), and patches will need to be released and tested.

Another workaround that is documented as a workaround, directly from the Apache Foundation is from 2.10 to 2.14.1, they advise setting the log4j2.formatMsgNoLookups system property, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.

So, what this means is organizations will need to keep their ear to the ground on all discovered applications that are using the Apache Log4j library and make sure they get the appropriate patches installed the remediate this vulnerability.

Critical Vulnerability in Apache Log4j CVE-2021-44228 is VMware affected?

Unfortunately, like many large software development companies, VMware is affected by this vulnerability. According to the official VMSA-2021-0028.1, the following products are known as affected. However, keep in mind this list is in flux and may be extended:

  • VMware Horizon
  • VMware vCenter Server
  • VMware HCX
  • VMware NSX-T Data Center
  • VMware Unified Access Gateway
  • VMware WorkspaceOne Access
  • VMware Identity Manager 
  • VMware vRealize Operations
  • VMware vRealize Operations Cloud Proxy
  • VMware vRealize Log Insight
  • VMware vRealize Automation
  • VMware vRealize Lifecycle Manager
  • VMware Telco Cloud Automation
  • VMware Site Recovery Manager
  • VMware Carbon Black Cloud Workload Appliance
  • VMware Carbon Black EDR Server
  • VMware Tanzu GemFire
  • VMware Tanzu Greenplum
  • VMware Tanzu Operations Manager
  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Kubernetes Grid Integrated Edition
  • VMware Tanzu Observability by Wavefront Nozzle
  • Healthwatch for Tanzu Application Service
  • Spring Cloud Services for VMware Tanzu
  • Spring Cloud Gateway for VMware Tanzu
  • Spring Cloud Gateway for Kubernetes
  • API Portal for VMware Tanzu
  • Single Sign-On for VMware Tanzu Application Service
  • App Metrics
  • VMware vCenter Cloud Gateway
  • VMware Tanzu SQL with MySQL for VMs
  • VMware vRealize Orchestrator
  • VMware Cloud Foundation
  • VMware Workspace ONE Access Connector
  • VMware Horizon DaaS
  • VMware Horizon Cloud Connector
  • (Additional products will be added)

Note the following workarounds listed in the official VMSA linked above, with the KB articles listed for the workarounds. Keep in mind the CVSSv3 rating is 10.0 (as bad as it can get).

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
VMware Horizon8.x, 7.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87073KB87073None
VMware vCenter Server7.xVirtual ApplianceCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 7.0U3cKB87081None
VMware vCenter Server6.7.xVirtual ApplianceCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 6.7 U3qKB87081None
VMware vCenter Server6.7.xWindowsCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 6.7 U3qKB87096None
VMware vCenter Server6.5.xVirtual ApplianceCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 6.5 U3sKB87081None
VMware vCenter Server6.5.xWindowsCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 6.5 U3sKB87096None
VMware Cloud Foundation4.x, 3.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical Patch PendingKB87095None
VMware HCX4.3AnyCVE-2021-44228, CVE-2021-45046N/AN/ANot AffectedN/AN/A
VMware HCX4.2.x, 4.0.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 4.2.4KB87104None
VMware HCX4.1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 4.1.0.3KB87104None
VMware NSX-T Data Center3.1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 3.1.3.5KB87086None
VMware NSX-T Data Center3.0.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 3.0.3.1KB87086None
VMware NSX-T Data Center2.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.5.3.4KB87086None
VMware Unified Access Gateway21.x, 20.x, 3.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2111.1KB87092None
VMware Workspace ONE Access21.x, 20.10.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87183KB87090None
VMware Identity Manager3.3.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 3.3.6KB87093None
VMware Site Recovery Manager, vSphere Replication8.5.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 8.5.0.2KB87098None
VMware Site Recovery Manager, vSphere Replication8.4.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 8.4.0.4KB87098None
VMware Site Recovery Manager, vSphere Replication8.3.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 8.3.1.5KB87098None
VMware vCenter Cloud Gateway1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87081KB87081None
VMware Workspace ONE Access Connector (VMware Identity Manager Connector)21.08.0.1, 21.08, 20.10, 19.03.0.1WindowsCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87184KB87091None
VMware Horizon DaaS9.1.x, 9.0.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87101KB87101None
VMware Horizon Cloud Connector1.x, 2.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.1.2NoneNone
VMware NSX Data Center for vSphere6.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 6.4.12KB87099None
VMware AppDefense Appliance2.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical N/AUeX 109180None
VMware Cloud Director Object Storage Extension2.1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.1.0.1KB87102None
VMware Cloud Director Object Storage Extension2.0.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.0.0.3KB87102None
VMware Telco Cloud Operations1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.4.0.1KB87143None
VMware Smart Assurance NCM10.1.6AnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical Patch PendingKB87113None
VMware Smart Assurance SAM [Service Assurance Manager]10.1.0.x, 10.1.2, 10.1.5,AnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 10.1.5.5KB87119None
VMware Integrated OpenStack7.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 7.2KB87118None
VMware Cloud Provider Lifecycle Manager1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.2.0.1KB87142None
VMware SD-WAN VCO4.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87158KB87158None
VMware NSX Intelligence1.2.x, 1.1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.2.1.1KB87150None
VMware Horizon Agents Installer21.x.x, 20.x.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87157KB87157None
VMware Smart Assurance M&R6.8u5, 7.0u8, 7.2.0.1AnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87161KB87161None
ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
VMware Carbon Black Cloud Workload Appliance1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.1.2UeX 190167None
VMware Carbon Black EDR Server7.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 7.6.1UeX 109183None
ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
VMware vRealize Automation8.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 8.6.2KB87120None
VMware vRealize Automation7.6AnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB70911KB87121None
VMware vRealize Business for Cloud7.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87539KB87127None
VMware vRealize Lifecycle Manager8.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 8.6.2KB87097None
VMware vRealize Log Insight8.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87519KB87089None
VMware vRealize Network Insight6.x, 5.3AnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 6.5.1KB87135None
VMware vRealize Operations8.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87076KB87076None
VMware vRealize Operations Cloud (Cloud Proxy)AnyAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical Q4FY22 Cloud UpdateKB87080None
VMware vRealize Operations Tenant App for VMware Cloud Director2.5AnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.5.1KB87187None
VMware vRealize Orchestrator8.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 8.6.2KB87120None
VMware vRealize Orchestrator7.6AnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB70629KB87122None
VMware vRealize True Visibility SuiteAnyAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical KB87136KB87136None
ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
App Metrics2.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.1.2NoneNone
API Portal for VMware Tanzu1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.0.8NoneNone
Healthwatch for Tanzu Application Service2.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.1.8NoneNone
Healthwatch for Tanzu Application Service1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.8.7NoneNone
Single Sign-On for VMware Tanzu Application Service1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.14.6NoneNone
Spring Cloud Gateway for Kubernetes1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.0.7NoneNone
Spring Cloud Gateway for VMware Tanzu1.1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.1.4NoneNone
Spring Cloud Gateway for VMware Tanzu1.0.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.0.19NoneNone
Spring Cloud Services for VMware Tanzu3.xAnyCVE-2021-44228, CVE-2021-45046!0.0, 9.0Critical 3.1.27NoneNone
Spring Cloud Services for VMware Tanzu2.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.1.10NoneNone
VMware Greenplum Text3.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 3.8.1Article Number 13256None
VMware Harbor Container Registry for TKGI2.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.4.1Article Number 13263None
VMware Tanzu Application Service for VMs2.12.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.12.5Article Number 13265None
VMware Tanzu Application Service for VMs2.11.xAnyCVE-2021-44228, CVE-4504610.0, 9.0Critical 2.11.12Article Number 13265None
VMware Tanzu Application Service for VMs2.10.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.10.24Article Number 13265None
VMware Tanzu Application Service for VMs2.9.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.9.30Article Number 13265None
VMware Tanzu Application Service for VMs2.8.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.8.30Article Number 13265None
VMware Tanzu Application Service for VMs2.7.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.7.44Article Number 13265None
VMware Tanzu GemFire9.10.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 9.10.13Article Number 13255None
VMware Tanzu GemFire9.9.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 9.9.7Article Number 13255None
VMware Tanzu GemFire for VMs1.14.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.14.2Article Number 13262None
VMware Tanzu GemFire for VMs1.13.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.13.5Article Number 13262None
VMware Tanzu GemFire for VMs1.12.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.12.4Article Number 13262None
VMware Tanzu Greenplum Platform Extension Framework6.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 6.2.1Article Number 13256None
VMware Tanzu Kubernetes Grid Integrated Edition1.13.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.13.1Article Number 13263None
VMware Tanzu Kubernetes Grid Integrated Edition1.10.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.10.8Article Number 13263None
VMware Tanzu Observability by Wavefront Nozzle3.x, 2.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 3.0.4NoneNone
VMware Tanzu Observability Proxy10.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 10.12Article Number 13272None
VMware Tanzu Operations Manager2.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 2.10.25Article Number 13264None
VMware Tanzu Scheduler1.xAnyCVE-2021-44228, CVE-2021-4504610.0, 9.0Critical 1.6.1Article Number 13280None

Wrapping Up

Folks, this Critical Vulnerability in Apache Log4j CVE-2021-44228 is definitely one to pay attention to as it affects products and solutions across the board. I suspect companies will be scrambling over the next few days to perform discovery of products affected. One this is for sure, most vendors are affected as they have used this particular library across solutions making use of embedded JAVA components. Stay tuned here as I will post more information as these details become available.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.