• Insights

VMware Security Advisory for Apache CVE-2021-44228 (Log4j)

Jeff Silverman

4 min read

All Insights

VMware Security Advisory for Apache CVE-2021-44228

A critical vulnerability in Apache Log4j2, if exploited, may allow for remote code execution in impacted VMware products.

 

Affected versions

The following products are impacted and are being evaluated:

  • VMware Horizon
  • VMware vCenter Server
  • VMware HCX
  • VMware NSX-T Data Center
  • VMware Unified Access Gateway
  • VMware WorkspaceOne Access
  • VMware Identity Manager
  • VMware vRealize Operations
  • VMware vRealize Operations Cloud Proxy
  • VMware vRealize Automation
  • VMware vRealize Lifecycle Manager
  • VMware Site Recovery Manager, vSphere Replication
  • VMware Carbon Black Cloud Workload Appliance
  • VMware Carbon Black EDR Server
  • VMware Tanzu GemFire
  • VMware Tanzu Greenplum
  • VMware Tanzu Operations Manager
  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Kubernetes Grid Integrated Edition
  • VMware Tanzu Observability by Wavefront Nozzle
  • Healthwatch for Tanzu Application Service
  • Spring Cloud Services for VMware Tanzu
  • Spring Cloud Gateway for VMware Tanzu
  • Spring Cloud Gateway for Kubernetes
  • API Portal for VMware Tanzu
  • Single Sign-On for VMware Tanzu Application Service
  • App Metrics
  • VMware vCenter Cloud Gateway
  • VMware vRealize Orchestrator
  • VMware Cloud Foundation
  • VMware Workspace ONE Access Connector
  • VMware Horizon DaaS
  • VMware Horizon Cloud Connector
  • VMware NSX Data Center for vSphere
  • VMware AppDefense Appliance
  • VMware Cloud Director Object Storage Extension
  • VMware Telco Cloud Operations
  • VMware vRealize Log Insight
  • VMware Tanzu Scheduler
  • VMware Smart Assurance NCM
  • VMware Smart Assurance SAM [Service Assurance Manager]
  • VMware Integrated OpenStack
  • VMware vRealize Business for Cloud
  • (Additional products will be added)

 

Recommended Action

 

Customers should consider the following actions:

  • Apply Workarounds to impacted products, if available.
  • Update impacted products to Fixed Versions, if available.
  • Monitor the VMware article in the More Information section below for updates.

 

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Horizon 8.x, 7.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87073 None
VMware vCenter Server 7.x, 6.7.x, 6.5.x Virtual Appliance CVE-2021-44228 10.0 Critical

 

Patch Pending KB87081 None
VMware vCenter Server 6.7.x, 6.5.x Windows CVE-2021-44228 10.0 Critical

 

Patch Pending KB87096 None
VMware HCX 4.2.x, 4.0.x Any CVE-2021-44228 10.0 Critical

 

4.2.3 Workaround Pending KB87104
VMware HCX 4.1.x Any CVE-2021-44228 10.0 Critical

 

4.1.0.2 Workaround Pending KB87104
VMware NSX-T Data Center 3.x, 2.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87086 None
VMware Unified Access Gateway 21.x, 20.x, 3.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87092 None
VMware Workspace ONE Access 21.x, 20.10.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87090 None
VMware Identity Manager 3.3.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87093 None
VMware vRealize Operations 8.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87076 None
VMware vRealize Operations Cloud Proxy Any Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87080 None
VMware vRealize Automation 8.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87120 None
VMware vRealize Automation 7.6 Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87121 None
VMware vRealize Lifecycle Manager 8.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87097 None
VMware Carbon Black Cloud Workload Appliance 1.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending UeX 109167 None
VMware Carbon Black EDR Server 7.x, 6.x Any CVE-2021-44228 10.0 Critical

 

7.6.0 UeX 109168 None
VMware Site Recovery Manager, vSphere Replication 8.3, 8.4, 8.5 Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87098 None
VMware Tanzu GemFire 1.14.x, 1.13.x, 1.10.x Any CVE-2021-44228 10.0 Critical

 

1.14.1, 1.13.4 Article Number 13262 None
VMware Tanzu Greenplum 6.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending Article Number 13256 None
VMware Tanzu Operations Manager 2.x Any CVE-2021-44228 10.0 Critical

 

2.10.23 Article Number 13264 None
VMware Tanzu Application Service for VMs 2.x Any CVE-2021-44228 10.0 Critical

 

2.7.42, 2.10.22, 2.11.10, 2.12.3 Article Number 13265 None
VMware Tanzu Kubernetes Grid Integrated Edition 1.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending Article Number 13263 None
VMware Tanzu Observability by Wavefront Nozzle 3.x, 2.x Any CVE-2021-44228 10.0 Critical

 

3.0.3 None None
Healthwatch for Tanzu Application Service 2.x Any CVE-2021-44228 10.0 Critical

 

2.1.7 None None
Healthwatch for Tanzu Application Service 1.x Any CVE-2021-44228 10.0 Critical

 

1.8.6 None None
Spring Cloud Services for VMware Tanzu 3.x Any CVE-2021-44228 10.0 Critical

 

3.1.26 None None
Spring Cloud Gateway for VMware Tanzu 1.x Any CVE-2021-44228 10.0 Critical

 

1.1.3 Workaround Pending None
Spring Cloud Gateway for Kubernetes 1.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending Workaround Pending None
API Portal for VMware Tanzu 1.x Any CVE-2021-44228 10.0 Critical

 

1.0.7 Workaround Pending None
Single Sign-On for VMware Tanzu Application Service 1.x Any CVE-2021-44228 10.0 Critical

 

1.14.5 Workaround Pending None
App Metrics 2.x Any CVE-2021-44228 10.0 Critical

 

2.1.1 None None
VMware vCenter Cloud Gateway 1.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87081 None
VMware vRealize Orchestrator 8.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87120 None
VMware vRealize Orchestrator 7.6 Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87122 None
VMware Cloud Foundation 4.x, 3.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87095 None
VMware Workspace ONE Access Connector (VMware Identity Manager Connector) 21.x, 20.10.x, 19.03.0.1 Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87091 None
VMware Horizon DaaS 9.1.x, 9.0.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87101 None
VMware Horizon Cloud Connector 1.x, 2.x Any CVE-2021-44228 10.0 Critical

 

2.1.1 None None
VMware NSX Data Center for vSphere 6.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87099 None
VMware AppDefense Appliance 2.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending UeX 109180 None
VMware Cloud Director Object Storage Extension 2.1.x Any CVE-2021-44228 10.0 Critical

 

2.1.0.1 Workaround Pending None
VMware Cloud Director Object Storage Extension 2.0.x Any CVE-2021-44228 10.0 Critical

 

2.0.0.3 Workaround Pending None
VMware Telco Cloud Operations 1.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending Workaround Pending None
VMware vRealize Log Insight 8.2, 8.3, 8.4, 8.6 Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87089 None
VMware Tanzu Scheduler 1.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending Article Number 13280 None
VMware Smart Assurance NCM 10.1.6 Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87113 None
VMware Smart Assurance SAM [Service Assurance Manager] 10.1.2, 10.1.5 Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87119 None
VMware Integrated OpenStack 7.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87118 None
VMware vRealize Business for Cloud 7.x Any CVE-2021-44228 10.0 Critical

 

Patch Pending KB87127 None

 

 

More Information

https://www.vmware.com/security/advisories/VMSA-2021-0028.html

 

Please contact Kraft Kennedy if you need assistance.