Security Advisory 2021-075

Release Date:

VMWare Critical Vulnerability

Download

History:

  • 18/12/2021 --- v1.0 -- Initial publication

Summary

On December 17th, VMWare updated its security advisory related to CVE-2021-44228, and CVE-2021-45046 affecting many of its products [1]. While these CVE affect the Java logging library log4j, all products using this library are vulnerable at least to Unauthenticated Remote Code Execution [2].

Technical Details

The vulnerability exists in the Java logging library log4j. An unauthenticated remote attacker might exploit this vulnerability by sending specially crafted content to the application to execute malicious code on the server [2].

Affected products and Fixed Release

Vulnerable ProductFixed ReleaseWorkaround
VMware Horizon2111, 7.13.1, 7.10.3YES
VMware vCenter Server 7.x, 6.7.x, 6.5.xPendingYES
VMware vCenter Server 6.7.x, 6.5.xPendingYES
VMware HCX 4.0.x, 4.1.x, 4.2.xPendingYES
VMware NSX-T Data Center 3.x, 2.xPendingYES
VMware Unified Access Gateway 21.x, 20.x, 3.x2111.1YES
VMware Workspace ONE Access 21.x, 20.10.xKB87183YES
VMware Identity Manager 3.3.xKB87185YES
VMware vRealize Operations 8.xPatch PendingYES
VMware vRealize Operations Cloud ProxyPatch PendingYES
VMware vRealize Automation 8.xPatch PendingYES
VMware vRealize Automation 7.6Patch PendingYES
VMware vRealize Lifecycle Manager 8.xPatch PendingYES
VMware Carbon Black Cloud Workload Appliance 1.x1.1.2YES
VMware Carbon Black EDR Server 7.6.0, 7.5.x, 7.4.x, 7.3.xPatch PendingYES
VMware Site Recovery Manager, vSphere Replication 8.5, 8.4, 8.38.5.0.2, 8.4.0.4, 8.3.1.5YES
VMware Tanzu GemFire 9.10.x9.10.13, 9.9.7YES
VMware Tanzu GemFire for VMs 1.14.x, 1.13.x, 1.10.x1.14.2, 1.13.5, 1.12.4, 1.10.9YES
VMware Tanzu Greenplum 6.xPatch PendingYES
VMware Tanzu Operations Manager 2.x2.8.18, 2.9.25, 2.10.24YES
VMware Tanzu Application Service for VMs 2.x2.6.23, 2.7.44, 2.8.30, 2.9.30, 2.10.24, 2.11.12 and 2.12.5YES
VMware Tanzu Kubernetes Grid Integrated Edition 1.xPatch PendingYES
VMware Tanzu Observability by Wavefront Nozzle 3.x, 2.x3.0.4Pending
Healthwatch for Tanzu Application Service 2.x2.1.8Pending
Healthwatch for Tanzu Application Service 1.x1.8.7Pending
Spring Cloud Services for VMware Tanzu 1.x, 2.x, 3.x1.1.4, 1.0.19, 2.1.10, 3.1.27Pending for 1.x
Spring Cloud Gateway for Kubernetes 1.x1.0.7Pending
API Portal for VMware Tanzu 1.x1.0.8Pending
Single Sign-On for VMware Tanzu Application Service 1.x1.14.6Pending
App Metrics 2.x2.1.2Pending
VMware vCenter Cloud Gateway 1.xPendingYES
VMware vRealize Orchestrator 7.6, 8.xPendingYES
VMware Cloud Foundation 4.x, 3.xPendingYES
VMware Workspace ONE Access Connector (VMware Identity Manager Connector) 21.08.0.1, 21.08, 20.10, 19.03.0.1KB87184YES
VMware Horizon DaaSPendingYES
VMware Horizon Cloud Connector 1.x, 2.x2.1.2Pending
VMware NSX Data Center for vSphere 6.xPendingYES
VMware AppDefense Appliance 2.xN/AYES
VMware Cloud Director Object Storage Extension 2.0.x, 2.1.x2.0.0.3, 2.1.0.1YES
VMware Telco Cloud Operations 1.xPendingYES
VMware vRealize Log Insight 8.2, 8.3, 8.4, 8.6PendingYES
VMware Tanzu Scheduler 1.x1.6.1YES
VMware Smart Assurance NCM 10.1.6PendingYES
VMware Smart Assurance SAM (Service Assurance Manager) 10.1.0.x, 10.1.2, 10.1.5,PendingYES
VMware Integrated OpenStack 7.xPendingYES
VMware vRealize Business for Cloud 7.xPendingYES
VMware vRealize Network Insight 5.3, 6.xPendingYES
VMware Cloud Provider Lifecycle Manager 1.x1.2.0.1YES
VMware SD-WAN VCO 4.xPendingYES
VMware NSX-T Intelligence Appliance 1.2.x, 1.1.xPendingYES
VMware Horizon Agents Installer 21.x.x, 20.x.xKB87157YES
VMware Tanzu Observability Proxy 10.x10.12YES

Recommendations

CERT-EU recommends applying the patches, or upgrading the products as soon as possible. Refer to the table in [Affected products and Fixed Release] section and to details provided by CISCO in [1] to find the fixed release of each product.

References

[1] https://www.vmware.com/security/advisories/VMSA-2021-0028.html

[2] https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-067.pdf

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.