Critical Vulnerability in Apache Log4j CVE-2021-44228 is VMware affected?

Well, unfortunately, it seems like we are ending the year on a dangerous critical vulnerability. Just a couple of days ago, a critical vulnerability in Apache Log4j identified by CVE-2021-44228 was posted. It is a bad one. We are going to take a brief look at what the vulnerability described in CVE-2021-44228 is exactly. Also, we will look at critical vulnerability in Apache Log4j CVE-2021-44228 is VMware affected to see what if any products may be vulnerable to this extremely nasty vulnerability.

Critical Vulnerability in Apache Log4j CVE 2021 44228
                                Critical Vulnerability in Apache Log4j CVE 2021 44228

What is the cve-2021-44228 critical vulnerability?

The CVE-2021-44228 vulnerability is also referred to as Log4Shell or LogJam. It is a remote execution vulnerability that affects Apache Log4J library, specifically all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.14.1. What is this library? It is a library that is used as part of the Apache Logging Project. The bad thing is this is one of the most common and popular logging libraries used by Java developers.

It includes libraries that are used by large software development companies that are used across the enterprise, including Amazon, Apple, Cisco, Cloudflare, Tesla, Twitter, and yes, VMware.

The bad thing is this vulnerability is literally everywhere and a patched version of code is not available as of yet to all products that are using it, which is dangerous. Most likely due to its popularity and prevalence everywhere, it will be actively exploited over the next few days by attackers.

The nature of what it allows attackers to do is extremely bad as well. If attackers manage to exploit it on an affected server, they can gain the ability to execute arbitrary code and take full control of a system. Also alarming, it is extremely easy to exploit.

Attackers only need to write just one string to the log. After the string is written, they can then upload malicious code to the application. The reason for this is the compromised “message lookup substitution” function.

Also, there are already working concepts available on the Internet for this vulnerability. See https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/

The easiest workaround is to install the most recent version of the Apache Log4j library, 2.15.0. However, the problem is, most enterprises are using commercially available solutions and products that are using the Log4j library. It means you can’t just replace the library out of band (or at least not without official guidance), and patches will need to be released and tested.

Another workaround that is documented as a workaround, directly from the Apache Foundation is from 2.10 to 2.14.1, they advise setting the log4j2.formatMsgNoLookups system property, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.

So, what this means is organizations will need to keep their ear to the ground on all discovered applications that are using the Apache Log4j library and make sure they get the appropriate patches installed the remediate this vulnerability.

Critical Vulnerability in Apache Log4j CVE-2021-44228 is VMware affected?

Unfortunately, like many large software development companies, VMware is affected by this vulnerability. According to the official VMSA-2021-0028.1, the following products are known as affected. However, keep in mind this list is in flux and may be extended:
  • VMware Horizon
  • VMware vCenter Server
  • VMware HCX
  • VMware NSX-T Data Center
  • VMware Unified Access Gateway
  • VMware WorkspaceOne Access
  • VMware Identity Manager 
  • VMware vRealize Operations
  • VMware vRealize Operations Cloud Proxy
  • VMware vRealize Log Insight
  • VMware vRealize Automation
  • VMware vRealize Lifecycle Manager
  • VMware Telco Cloud Automation
  • VMware Site Recovery Manager
  • VMware Carbon Black Cloud Workload Appliance
  • VMware Carbon Black EDR Server
  • VMware Tanzu GemFire
  • VMware Tanzu Greenplum
  • VMware Tanzu Operations Manager
  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Kubernetes Grid Integrated Edition
  • VMware Tanzu Observability by Wavefront Nozzle
  • Healthwatch for Tanzu Application Service
  • Spring Cloud Services for VMware Tanzu
  • Spring Cloud Gateway for VMware Tanzu
  • Spring Cloud Gateway for Kubernetes
  • API Portal for VMware Tanzu
  • Single Sign-On for VMware Tanzu Application Service
  • App Metrics
  • VMware vCenter Cloud Gateway
  • VMware Tanzu SQL with MySQL for VMs
  • VMware vRealize Orchestrator
  • VMware Cloud Foundation
  • VMware Workspace ONE Access Connector
  • VMware Horizon DaaS
  • VMware Horizon Cloud Connector
  • (Additional products will be added)

Note the following workarounds listed in the official VMSA linked above, with the KB articles listed for the workarounds. Keep in mind the CVSSv3 rating is 10.0 (as bad as it can get).
ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
VMware Horizon8.x, 7.xAnyCVE-2021-4422810.0Critical Patch PendingKB87073None
VMware vCenter Server7.x, 6.7.x, 6.5.xVirtual ApplianceCVE-2021-4422810.0Critical Patch PendingKB87081None
VMware vCenter Server6.7.x, 6.5.xWindowsCVE-2021-4422810.0Critical Patch PendingKB87096None
VMware HCX4.2.x, 4.0.xAnyCVE-2021-4422810.0Critical 4.2.3Workaround PendingNone
VMware HCX4.1.xAnyCVE-2021-4422810.0Critical 4.1.0.2Workaround PendingNone
VMware NSX-T Data Center3.x, 2.xAnyCVE-2021-4422810.0Critical Patch PendingKB87086None
VMware Unified Access Gateway21.x, 20.x, 3.xAnyCVE-2021-4422810.0Critical Patch PendingKB87092None
VMware Workspace ONE Access21.x, 20.10.xAnyCVE-2021-4422810.0Critical Patch PendingKB87090None
VMware Identity Manager3.3.xAnyCVE-2021-4422810.0Critical Patch PendingKB87093None
VMware vRealize Operations8.xAnyCVE-2021-4422810.0Critical Patch PendingKB87076None
VMware vRealize Operations Cloud ProxyAnyAnyCVE-2021-4422810.0Critical Patch PendingKB87080None
VMware vRealize Automation8.xAnyCVE-2021-4422810.0Critical Patch PendingKB87120None
VMware vRealize Automation7.6AnyCVE-2021-4422810.0Critical Patch PendingKB87121None
VMware vRealize Lifecycle Manager8.xAnyCVE-2021-4422810.0Critical Patch PendingKB87097None
VMware Carbon Black Cloud Workload Appliance1.xAnyCVE-2021-4422810.0Critical Patch PendingUeX 109167None
VMware Carbon Black EDR Server7.x, 6.xAnyCVE-2021-4422810.0Critical 7.6.0UeX 109168None
VMware Site Recovery Manager, vSphere Replication8.3, 8.4, 8.5AnyCVE-2021-4422810.0Critical Patch PendingKB87098None
VMware Tanzu GemFire9.x, 8.xAnyCVE-2021-4422810.0Critical Patch PendingArticle Number 13262None
VMware Tanzu Greenplum6.xAnyCVE-2021-4422810.0Critical Patch PendingArticle Number 13256None
VMware Tanzu Operations Manager2.xAnyCVE-2021-4422810.0Critical 2.10.23Article Number 13264None
VMware Tanzu Application Service for VMs2.xAnyCVE-2021-4422810.0Critical 2.7.42, 2.10.22, 2.11.10, 2.12.3Article Number 13265None
VMware Tanzu Kubernetes Grid Integrated Edition1.xAnyCVE-2021-4422810.0Critical Patch PendingArticle Number 13263None
VMware Tanzu Observability by Wavefront Nozzle3.x, 2.xAnyCVE-2021-4422810.0Critical 3.0.3NoneNone
Healthwatch for Tanzu Application Service2.xAnyCVE-2021-4422810.0Critical 2.1.7NoneNone
Healthwatch for Tanzu Application Service1.xAnyCVE-2021-4422810.0Critical 1.8.6NoneNone
Spring Cloud Services for VMware Tanzu3.xAnyCVE-2021-4422810.0Critical 3.1.26NoneNone
Spring Cloud Gateway for VMware Tanzu1.xAnyCVE-2021-4422810.0Critical 1.1.3Workaround PendingNone
Spring Cloud Gateway for Kubernetes1.xAnyCVE-2021-4422810.0Critical Patch PendingWorkaround PendingNone
API Portal for VMware Tanzu1.xAnyCVE-2021-4422810.0Critical 1.0.7Workaround PendingNone
Single Sign-On for VMware Tanzu Application Service1.xAnyCVE-2021-4422810.0Critical 1.14.5Workaround PendingNone
App Metrics2.xAnyCVE-2021-4422810.0Critical 2.1.1NoneNone
VMware vCenter Cloud Gateway1.xAnyCVE-2021-4422810.0Critical Patch PendingKB87081None
VMware vRealize Orchestrator8.xAnyCVE-2021-4422810.0Critical Patch PendingKB87120None
VMware vRealize Orchestrator7.6AnyCVE-2021-4422810.0Critical Patch PendingKB87122None
VMware Cloud Foundation4.x, 3.xAnyCVE-2021-4422810.0Critical Patch PendingKB87095None
VMware Workspace ONE Access Connector (VMware Identity Manager Connector)21.x, 20.10.x, 19.03.0.1AnyCVE-2021-4422810.0Critical Patch PendingKB87091None
VMware Horizon DaaS9.1.x, 9.0.xAnyCVE-2021-4422810.0Critical Patch PendingKB87101None
VMware Horizon Cloud Connector1.x, 2.xAnyCVE-2021-4422810.0Critical 2.1.1NoneNone
VMware NSX Data Center for vSphere6.xAnyCVE-2021-4422810.0Critical Patch PendingKB87099None
VMware AppDefense Appliance2.xAnyCVE-2021-4422810.0Critical Patch PendingUeX 109180None
VMware Cloud Director Object Storage Extension2.1.xAnyCVE-2021-4422810.0Critical 2.1.0.1Workaround PendingNone
VMware Cloud Director Object Storage Extension2.0.xAnyCVE-2021-4422810.0Critical 2.0.0.3Workaround PendingNone
VMware Telco Cloud Operations1.xAnyCVE-2021-4422810.0Critical Patch PendingWorkaround PendingNone
VMware vRealize Log Insight8.2, 8.3, 8.4, 8.6AnyCVE-2021-4422810.0Critical Patch PendingKB87089None
VMware Tanzu Scheduler1.xAnyCVE-2021-4422810.0Critical Patch PendingArticle Number 13280None

Wrapping Up

Folks, this Critical Vulnerability in Apache Log4j CVE-2021-44228 is definitely one to pay attention to as it affects products and solutions across the board. I suspect companies will be scrambling over the next few days to perform discovery of products affected. One this is for sure, most vendors are affected as they have used this particular library across solutions making use of embedded JAVA components. Stay tuned here as I will post more information as these details become available.

Post a Comment

0 Comments