VMware Security Advisory for Apache CVE-2021-44228
A critical vulnerability in Apache Log4j2, if exploited, may allow for remote code execution in impacted VMware products.
Affected versions
The following products are impacted and are being evaluated:
- VMware Horizon
- VMware vCenter Server
- VMware HCX
- VMware NSX-T Data Center
- VMware Unified Access Gateway
- VMware WorkspaceOne Access
- VMware Identity Manager
- VMware vRealize Operations
- VMware vRealize Operations Cloud Proxy
- VMware vRealize Automation
- VMware vRealize Lifecycle Manager
- VMware Site Recovery Manager, vSphere Replication
- VMware Carbon Black Cloud Workload Appliance
- VMware Carbon Black EDR Server
- VMware Tanzu GemFire
- VMware Tanzu Greenplum
- VMware Tanzu Operations Manager
- VMware Tanzu Application Service for VMs
- VMware Tanzu Kubernetes Grid Integrated Edition
- VMware Tanzu Observability by Wavefront Nozzle
- Healthwatch for Tanzu Application Service
- Spring Cloud Services for VMware Tanzu
- Spring Cloud Gateway for VMware Tanzu
- Spring Cloud Gateway for Kubernetes
- API Portal for VMware Tanzu
- Single Sign-On for VMware Tanzu Application Service
- App Metrics
- VMware vCenter Cloud Gateway
- VMware vRealize Orchestrator
- VMware Cloud Foundation
- VMware Workspace ONE Access Connector
- VMware Horizon DaaS
- VMware Horizon Cloud Connector
- VMware NSX Data Center for vSphere
- VMware AppDefense Appliance
- VMware Cloud Director Object Storage Extension
- VMware Telco Cloud Operations
- VMware vRealize Log Insight
- VMware Tanzu Scheduler
- VMware Smart Assurance NCM
- VMware Smart Assurance SAM [Service Assurance Manager]
- VMware Integrated OpenStack
- VMware vRealize Business for Cloud
- (Additional products will be added)
Recommended Action
Customers should consider the following actions:
- Apply Workarounds to impacted products, if available.
- Update impacted products to Fixed Versions, if available.
- Monitor the VMware article in the More Information section below for updates.
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware Horizon | 8.x, 7.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87073 | None |
VMware vCenter Server | 7.x, 6.7.x, 6.5.x | Virtual Appliance | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87081 | None |
VMware vCenter Server | 6.7.x, 6.5.x | Windows | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87096 | None |
VMware HCX | 4.2.x, 4.0.x | Any | CVE-2021-44228 | 10.0 | Critical
|
4.2.3 | Workaround Pending | KB87104 |
VMware HCX | 4.1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
4.1.0.2 | Workaround Pending | KB87104 |
VMware NSX-T Data Center | 3.x, 2.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87086 | None |
VMware Unified Access Gateway | 21.x, 20.x, 3.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87092 | None |
VMware Workspace ONE Access | 21.x, 20.10.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87090 | None |
VMware Identity Manager | 3.3.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87093 | None |
VMware vRealize Operations | 8.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87076 | None |
VMware vRealize Operations Cloud Proxy | Any | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87080 | None |
VMware vRealize Automation | 8.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87120 | None |
VMware vRealize Automation | 7.6 | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87121 | None |
VMware vRealize Lifecycle Manager | 8.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87097 | None |
VMware Carbon Black Cloud Workload Appliance | 1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | UeX 109167 | None |
VMware Carbon Black EDR Server | 7.x, 6.x | Any | CVE-2021-44228 | 10.0 | Critical
|
7.6.0 | UeX 109168 | None |
VMware Site Recovery Manager, vSphere Replication | 8.3, 8.4, 8.5 | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87098 | None |
VMware Tanzu GemFire | 1.14.x, 1.13.x, 1.10.x | Any | CVE-2021-44228 | 10.0 | Critical
|
1.14.1, 1.13.4 | Article Number 13262 | None |
VMware Tanzu Greenplum | 6.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | Article Number 13256 | None |
VMware Tanzu Operations Manager | 2.x | Any | CVE-2021-44228 | 10.0 | Critical
|
2.10.23 | Article Number 13264 | None |
VMware Tanzu Application Service for VMs | 2.x | Any | CVE-2021-44228 | 10.0 | Critical
|
2.7.42, 2.10.22, 2.11.10, 2.12.3 | Article Number 13265 | None |
VMware Tanzu Kubernetes Grid Integrated Edition | 1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | Article Number 13263 | None |
VMware Tanzu Observability by Wavefront Nozzle | 3.x, 2.x | Any | CVE-2021-44228 | 10.0 | Critical
|
3.0.3 | None | None |
Healthwatch for Tanzu Application Service | 2.x | Any | CVE-2021-44228 | 10.0 | Critical
|
2.1.7 | None | None |
Healthwatch for Tanzu Application Service | 1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
1.8.6 | None | None |
Spring Cloud Services for VMware Tanzu | 3.x | Any | CVE-2021-44228 | 10.0 | Critical
|
3.1.26 | None | None |
Spring Cloud Gateway for VMware Tanzu | 1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
1.1.3 | Workaround Pending | None |
Spring Cloud Gateway for Kubernetes | 1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | Workaround Pending | None |
API Portal for VMware Tanzu | 1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
1.0.7 | Workaround Pending | None |
Single Sign-On for VMware Tanzu Application Service | 1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
1.14.5 | Workaround Pending | None |
App Metrics | 2.x | Any | CVE-2021-44228 | 10.0 | Critical
|
2.1.1 | None | None |
VMware vCenter Cloud Gateway | 1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87081 | None |
VMware vRealize Orchestrator | 8.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87120 | None |
VMware vRealize Orchestrator | 7.6 | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87122 | None |
VMware Cloud Foundation | 4.x, 3.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87095 | None |
VMware Workspace ONE Access Connector (VMware Identity Manager Connector) | 21.x, 20.10.x, 19.03.0.1 | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87091 | None |
VMware Horizon DaaS | 9.1.x, 9.0.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87101 | None |
VMware Horizon Cloud Connector | 1.x, 2.x | Any | CVE-2021-44228 | 10.0 | Critical
|
2.1.1 | None | None |
VMware NSX Data Center for vSphere | 6.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87099 | None |
VMware AppDefense Appliance | 2.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | UeX 109180 | None |
VMware Cloud Director Object Storage Extension | 2.1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
2.1.0.1 | Workaround Pending | None |
VMware Cloud Director Object Storage Extension | 2.0.x | Any | CVE-2021-44228 | 10.0 | Critical
|
2.0.0.3 | Workaround Pending | None |
VMware Telco Cloud Operations | 1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | Workaround Pending | None |
VMware vRealize Log Insight | 8.2, 8.3, 8.4, 8.6 | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87089 | None |
VMware Tanzu Scheduler | 1.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | Article Number 13280 | None |
VMware Smart Assurance NCM | 10.1.6 | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87113 | None |
VMware Smart Assurance SAM [Service Assurance Manager] | 10.1.2, 10.1.5 | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87119 | None |
VMware Integrated OpenStack | 7.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87118 | None |
VMware vRealize Business for Cloud | 7.x | Any | CVE-2021-44228 | 10.0 | Critical
|
Patch Pending | KB87127 | None |
More Information
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Please contact Kraft Kennedy if you need assistance.