Security

VMware Horizon Log4j patch workaround

The fallout from the Log4j vulnerability continues to make ripples across organizations at the time of year when the last thing many want to hear about is a major security bug. Nonetheless, businesses are having to scramble to remediate and patch systems that are used for business productivity and business continuity for the hybrid workforce. VMware Horizon certainly falls into that category as many organizations rely on Horizon technology as the core of their remote connectivity infrastructure. While VMware has not released

What you should know about patching your VMware Horizon environment

Patching your VMware Horizon environment is not a simple task of patching one server and you are done. Horizon has a wide range of components that are spread across many different locations of your infrastructure, including:

  • Unfied Access Gateways – normally in a DMZ or exposed to the Internet
  • Horizon Connection Servers – postioned in the internal network
  • Horizon Agents – loaded across both physical workstations and virtual machines that are targets of Horizon Connection Pools

Needless to say, there are several parts and pieces to getting your VMware Horizon infrastructure fully patched and mitigating the Log4j vulnerability.

VMware Horizon Log4j patch workaround

To level-set, there are no officially released patched versions of VMware Horizon as of yet. When thinking about your VMware Horizon Log4j patch workaround steps, you will need to think about all the VMware Horizon infrastructure you have available in your environment, including the above-mentioned UAGs, Connection Servers, and Horizon Agents.

All of these are vulnerable in the “stock” form across even the latest versions. There are some notes to make regarding the patch workaround for VMware Horizon. Let’s start from the outside and work our way inward.

Unified Access Gateways (UAGs)

VMware has done a great job of providing scripts to implement the workarounds for remediating the Log4j vulnerability. With the UAGs, there is a KB containing the steps to manually mitigate the Log4j vulnerability and an automated script to apply the workaround automatically.

Basically, the workflow for the script is simple:

  • Download the script
  • Upload it to your UAG boxes
  • chmod +x the file
  • Run the script
Running the Log4j remediation script on VMware Unified Access Gateways UAGs
Running the Log4j remediation script on VMware Unified Access Gateways UAGs

Horizon Connection Servers and Horizon Agents

For the Horizon Connection Servers and Horizon Agents, the relevant VMware KB article is found at:

Log4j CVE-2021-44228 and CVE-2021-45046 in VMware Horizon and VMware Horizon Agent (on-premises) (87073)

Again, VMware has made a script available to remediate the VMware Horizon Connection Servers and Agents. This is a batch file that you download as part of a .ZIP file. Extract the file and then run the batch file. It will show the message below about the need to stop the connection server.

Patching VMware Horizon Connection Servers for Log4j vulnerability
Patching VMware Horizon Connection Servers for Log4j vulnerability

The importance of getting your Horizon environment patched

This is a statement of the obvious – it is extremely important to get your VMware Horizon environment patched. Arguably, it is even more important than other VMware products simply from the standpoint that Horizon provides externally facing services that make it even more critical as the bad guys will have much easier access to unpatched services that are public-facing.

Getting these patched as soon as possible is urgently important. In fact with organizations running many VMware services and solutions, it may be a good idea to prioritize these based on those services that are externally facing and work your way inward to other services and solutions that are affected.

Wrapping Up

Be sure to check out my link below to the matrix provided by VMware showing the current workaround links and patches (if available) for all the major VMware products and solutions:

VMware is continuing to update the table of products and solutions with the latest workarounds and patches when these are released so it will be imperative for customers to continue checking out the guidance frequently.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.