Critical Vulnerability in Apache Log4j CVE-2021-44228 is VMware affected?

Well, unfortunately, it seems like we are ending the year on a dangerous critical vulnerability. Just a couple of days ago, a critical vulnerability in Apache Log4j identified by CVE-2021-44228 was posted. It is a bad one. We are going to take a brief look at what the vulnerability described in CVE-2021-44228 is exactly. Also, we will look at critical vulnerability in Apache Log4j CVE-2021-44228 is VMware affected to see what if any products may be vulnerable to this extremely nasty vulnerability.

                                Critical Vulnerability in Apache Log4j CVE 2021 44228

What is the cve-2021-44228 critical vulnerability?

The CVE-2021-44228 vulnerability is also referred to as Log4Shell or LogJam. It is a remote execution vulnerability that affects Apache Log4J library, specifically all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.14.1. What is this library? It is a library that is used as part of the Apache Logging Project. The bad thing is this is one of the most common and popular logging libraries used by Java developers.

It includes libraries that are used by large software development companies that are used across the enterprise, including Amazon, Apple, Cisco, Cloudflare, Tesla, Twitter, and yes, VMware.

The bad thing is this vulnerability is literally everywhere and a patched version of code is not available as of yet to all products that are using it, which is dangerous. Most likely due to its popularity and prevalence everywhere, it will be actively exploited over the next few days by attackers.

The nature of what it allows attackers to do is extremely bad as well. If attackers manage to exploit it on an affected server, they can gain the ability to execute arbitrary code and take full control of a system. Also alarming, it is extremely easy to exploit.

Attackers only need to write just one string to the log. After the string is written, they can then upload malicious code to the application. The reason for this is the compromised “message lookup substitution” function.

Also, there are already working concepts available on the Internet for this vulnerability. See https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/

The easiest workaround is to install the most recent version of the Apache Log4j library, 2.15.0. However, the problem is, most enterprises are using commercially available solutions and products that are using the Log4j library. It means you can’t just replace the library out of band (or at least not without official guidance), and patches will need to be released and tested.

Another workaround that is documented as a workaround, directly from the Apache Foundation is from 2.10 to 2.14.1, they advise setting the log4j2.formatMsgNoLookups system property, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.

So, what this means is organizations will need to keep their ear to the ground on all discovered applications that are using the Apache Log4j library and make sure they get the appropriate patches installed the remediate this vulnerability.

Critical Vulnerability in Apache Log4j CVE-2021-44228 is VMware affected?

Unfortunately, like many large software development companies, VMware is affected by this vulnerability. According to the official VMSA-2021-0028.1, the following products are known as affected. However, keep in mind this list is in flux and may be extended:

• VMware Horizon
• VMware vCenter Server
• VMware HCX
• VMware NSX-T Data Center
• VMware Unified Access Gateway
• VMware WorkspaceOne Access
• VMware Identity Manager 
• VMware vRealize Operations
• VMware vRealize Operations Cloud Proxy
• VMware vRealize Log Insight
• VMware vRealize Automation
• VMware vRealize Lifecycle Manager
• VMware Telco Cloud Automation
• VMware Site Recovery Manager
• VMware Carbon Black Cloud Workload Appliance
• VMware Carbon Black EDR Server
• VMware Tanzu GemFire
• VMware Tanzu Greenplum
• VMware Tanzu Operations Manager
• VMware Tanzu Application Service for VMs
• VMware Tanzu Kubernetes Grid Integrated Edition
• VMware Tanzu Observability by Wavefront Nozzle
• Healthwatch for Tanzu Application Service
• Spring Cloud Services for VMware Tanzu
• Spring Cloud Gateway for VMware Tanzu
• Spring Cloud Gateway for Kubernetes
• API Portal for VMware Tanzu
• Single Sign-On for VMware Tanzu Application Service
• App Metrics
• VMware vCenter Cloud Gateway
• VMware Tanzu SQL with MySQL for VMs
• VMware vRealize Orchestrator
• VMware Cloud Foundation
• VMware Workspace ONE Access Connector
• VMware Horizon DaaS
• VMware Horizon Cloud Connector
• (Additional products will be added)

Note the following workarounds listed in the official VMSA linked above, with the KB articles listed for the workarounds. Keep in mind the CVSSv3 rating is 10.0 (as bad as it can get).

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
VMware Horizon	8.x, 7.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87073	None
VMware vCenter Server	7.x, 6.7.x, 6.5.x	Virtual Appliance	CVE-2021-44228	10.0	Critical	Patch Pending	KB87081	None
VMware vCenter Server	6.7.x, 6.5.x	Windows	CVE-2021-44228	10.0	Critical	Patch Pending	KB87096	None
VMware HCX	4.2.x, 4.0.x	Any	CVE-2021-44228	10.0	Critical	4.2.3	Workaround Pending	None
VMware HCX	4.1.x	Any	CVE-2021-44228	10.0	Critical	4.1.0.2	Workaround Pending	None
VMware NSX-T Data Center	3.x, 2.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87086	None
VMware Unified Access Gateway	21.x, 20.x, 3.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87092	None
VMware Workspace ONE Access	21.x, 20.10.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87090	None
VMware Identity Manager	3.3.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87093	None
VMware vRealize Operations	8.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87076	None
VMware vRealize Operations Cloud Proxy	Any	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87080	None
VMware vRealize Automation	8.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87120	None
VMware vRealize Automation	7.6	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87121	None
VMware vRealize Lifecycle Manager	8.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87097	None
VMware Carbon Black Cloud Workload Appliance	1.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	UeX 109167	None
VMware Carbon Black EDR Server	7.x, 6.x	Any	CVE-2021-44228	10.0	Critical	7.6.0	UeX 109168	None
VMware Site Recovery Manager, vSphere Replication	8.3, 8.4, 8.5	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87098	None
VMware Tanzu GemFire	9.x, 8.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	Article Number 13262	None
VMware Tanzu Greenplum	6.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	Article Number 13256	None
VMware Tanzu Operations Manager	2.x	Any	CVE-2021-44228	10.0	Critical	2.10.23	Article Number 13264	None
VMware Tanzu Application Service for VMs	2.x	Any	CVE-2021-44228	10.0	Critical	2.7.42, 2.10.22, 2.11.10, 2.12.3	Article Number 13265	None
VMware Tanzu Kubernetes Grid Integrated Edition	1.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	Article Number 13263	None
VMware Tanzu Observability by Wavefront Nozzle	3.x, 2.x	Any	CVE-2021-44228	10.0	Critical	3.0.3	None	None
Healthwatch for Tanzu Application Service	2.x	Any	CVE-2021-44228	10.0	Critical	2.1.7	None	None
Healthwatch for Tanzu Application Service	1.x	Any	CVE-2021-44228	10.0	Critical	1.8.6	None	None
Spring Cloud Services for VMware Tanzu	3.x	Any	CVE-2021-44228	10.0	Critical	3.1.26	None	None
Spring Cloud Gateway for VMware Tanzu	1.x	Any	CVE-2021-44228	10.0	Critical	1.1.3	Workaround Pending	None
Spring Cloud Gateway for Kubernetes	1.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	Workaround Pending	None
API Portal for VMware Tanzu	1.x	Any	CVE-2021-44228	10.0	Critical	1.0.7	Workaround Pending	None
Single Sign-On for VMware Tanzu Application Service	1.x	Any	CVE-2021-44228	10.0	Critical	1.14.5	Workaround Pending	None
App Metrics	2.x	Any	CVE-2021-44228	10.0	Critical	2.1.1	None	None
VMware vCenter Cloud Gateway	1.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87081	None
VMware vRealize Orchestrator	8.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87120	None
VMware vRealize Orchestrator	7.6	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87122	None
VMware Cloud Foundation	4.x, 3.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87095	None
VMware Workspace ONE Access Connector (VMware Identity Manager Connector)	21.x, 20.10.x, 19.03.0.1	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87091	None
VMware Horizon DaaS	9.1.x, 9.0.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87101	None
VMware Horizon Cloud Connector	1.x, 2.x	Any	CVE-2021-44228	10.0	Critical	2.1.1	None	None
VMware NSX Data Center for vSphere	6.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87099	None
VMware AppDefense Appliance	2.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	UeX 109180	None
VMware Cloud Director Object Storage Extension	2.1.x	Any	CVE-2021-44228	10.0	Critical	2.1.0.1	Workaround Pending	None
VMware Cloud Director Object Storage Extension	2.0.x	Any	CVE-2021-44228	10.0	Critical	2.0.0.3	Workaround Pending	None
VMware Telco Cloud Operations	1.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	Workaround Pending	None
VMware vRealize Log Insight	8.2, 8.3, 8.4, 8.6	Any	CVE-2021-44228	10.0	Critical	Patch Pending	KB87089	None
VMware Tanzu Scheduler	1.x	Any	CVE-2021-44228	10.0	Critical	Patch Pending	Article Number 13280	None

Wrapping Up

Folks, this Critical Vulnerability in Apache Log4j CVE-2021-44228 is definitely one to pay attention to as it affects products and solutions across the board. I suspect companies will be scrambling over the next few days to perform discovery of products affected. One this is for sure, most vendors are affected as they have used this particular library across solutions making use of embedded JAVA components. Stay tuned here as I will post more information as these details become available.