[German]The critical vulnerability CVE-2021-44228 in the JAVA library log4j, which became known a few days ago, threatens millions of software products. For many server products, users can do little. However, I would like to recommend a closer look to administrators of VMware products, because the manufacturer indicates some virtualization products as affected by the vulnerability.
Advertising
The log4j vulnerability CVE-2021-44228
I had already pointed out the problem on December 10, 2021 in the blog post 0-day CVE-2021-44228 in Java library log4j puts many projects at risk. There is a critical vulnerability in the JNDI lookup function in the Java log4j library used for logging, which could allow attackers to inject and execute remote code. The JNDI lookup function of log4j allows variables to be retrieved via the JNDI – Java Naming and Directory Interface. The vulnerability has been assigned a CVSSv3 value of 10.0 (highest value).
If an attacker writes malicious code in the form of a URL to the log file, the JNDI directory service will then contact the LDAP server listed in the log to request data from it. This can also include Java classes, which are then executed. If an attacker succeeds in specifying the URL to a server he controls in the log file, he can hijack a server via logging (Log4Shell).
Since proof of concept (PoC) for the remote code execution vulnerability in log4j was published on December 9, 2021, the IT world has been upside down. US CISA warns (see) that this is the biggest vulnerability of the year, threatening hundreds of millions of devices and programs. This probably includes various products from VMware.
VMware products affected
Vendor VMware has already published security advisory VMSA-2021-0028 on Apache Log4j vulnerability CVE-2021-44228 (remote code execution) as of December 10, 2021. Still under investigation, but VMware assumes the following products are affected (see my addendum below):
- VMware Horizon
- VMware vCenter Server
- VMware HCX
- VMware NSX-T Data Center
- VMware Unified Access Gateway
- VMware WorkspaceOne Access
- VMware Identity Manager
- VMware vRealize Operations
- VMware vRealize Operations Cloud Proxy
- VMware vRealize Automation
- VMware vRealize Lifecycle Manager
- VMware Site Recovery Manager, vSphere Replication
- VMware Carbon Black Cloud Workload Appliance
- VMware Carbon Black EDR Server
- VMware Tanzu GemFire
- VMware Tanzu Greenplum
- VMware Tanzu Operations Manager
- VMware Tanzu Application Service for VMs
- VMware Tanzu Kubernetes Grid Integrated Edition
- VMware Tanzu Observability by Wavefront Nozzle
- Healthwatch for Tanzu Application Service
- Spring Cloud Services for VMware Tanzu
- Spring Cloud Gateway for VMware Tanzu
- Spring Cloud Gateway for Kubernetes
- API Portal for VMware Tanzu
- Single Sign-On for VMware Tanzu Application Service
- App Metrics
- VMware vCenter Cloud Gateway
- VMware vRealize Orchestrator
- VMware Cloud Foundation
- VMware Workspace ONE Access Connector
- VMware Horizon DaaS
- VMware Horizon Cloud Connector
- VMware NSX Data Center for vSphere
- VMware AppDefense Appliance
- VMware Cloud Director Object Storage Extension
- VMware Telco Cloud Operations
- VMware vRealize Log Insight
- VMware Tanzu Scheduler
- (Additional products will be added)
VMware has released security updates for the affected products, which can be downloaded via security advisor VMSA-2021-0028, if already available.
Advertising
Addendum: There is now a support article VMware Response to CVE-2021-44228: Apache Log4j Remote Code Execution (87068) with a list of products (VMware vSphere ESXi for instance), that are not affected (thanks to the German blog reader for the hint).
Similar articles:
0-day CVE-2021-44228 in Java library log4j puts many projects at risk
log4j vulnerability CVE-2021-44228: Patch your Minecraft
VMware products threatened by log4j vulnerability CVE-2021-44228
