On Friday, a vulnerability was detected in Apache that affects several VMware products where a user could access its operating system through the vulnerability of Apache and JAVA.
We can find the complete detail in the following link
Problem Description
Multiple products impacted by remote code execution vulnerability and partial denial of service vulnerability via Apache Log4j (CVE-2021-44228, CVE-2021-45046).
Known Attack Vectors
A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack.
Resolution
A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack.
Workarounds
Workarounds for CVE-2021-44228 and CVE-2021-45046 are documented in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Notes
- Exploitation attempts in the wild have been confirmed by VMware.
- A supplemental blog post & frequently asked questions list was created for additional clarification. Please see: https://via.vmw.com/vmsa-2021-0028-faq
- Unaffected VMware products can be referred to on the Knowledge Base article: https://kb.vmware.com/s/article/87068
- On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds were not sufficient in removing all possible attack vectors. In addition, a new vulnerability identified by CVE-2021-45046 was published. In response, VMware has aligned with the new guidance and will be updating associated documentation with workarounds and fixes to address both vulnerabilities completely.
Response Matrix:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware Horizon | 8.x, 7.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87073 | None |
VMware vCenter Server | 7.x, 6.7.x, 6.5.x | Virtual Appliance | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87081 | None |
VMware vCenter Server | 6.7.x, 6.5.x | Windows | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87096 | None |
VMware HCX | 4.2.x, 4.0.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87104 | None |
VMware HCX | 4.1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87104 | None |
VMware NSX-T Data Center | 3.x, 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87086 | None |
VMware Unified Access Gateway | 21.x, 20.x, 3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87092 | None |
VMware Workspace ONE Access | 21.x, 20.10.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87090 | None |
VMware Identity Manager | 3.3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87093 | None |
VMware vRealize Operations | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87076 | None |
VMware vRealize Operations Cloud Proxy | Any | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87080 | None |
VMware vRealize Automation | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87120 | None |
VMware vRealize Automation | 7.6 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87121 | None |
VMware vRealize Lifecycle Manager | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87097 | None |
VMware Carbon Black Cloud Workload Appliance | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | UeX 109167 | None |
VMware Carbon Black EDR Server | 7.6.0, 7.5.x, 7.4.x, 7.3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | UeX 109183 | None |
VMware Site Recovery Manager, vSphere Replication | 8.3, 8.4, 8.5 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87098 | None |
VMware Tanzu GemFire | 9.10.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Article Number 13255 | None |
VMware Tanzu GemFire for VMs | 1.14.x, 1.13.x, 1.10.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Article Number 13262 | None |
VMware Tanzu Greenplum | 6.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Article Number 13256 | None |
VMware Tanzu Operations Manager | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Article Number 13264 | None |
VMware Tanzu Application Service for VMs | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Article Number 13265 | None |
VMware Tanzu Kubernetes Grid Integrated Edition | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Article Number 13263 | None |
VMware Tanzu Observability by Wavefront Nozzle | 3.x, 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | 3.0.4 | Workaround Pending | None |
Healthwatch for Tanzu Application Service | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Workaround Pending | None |
Healthwatch for Tanzu Application Service | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Workaround Pending | None |
Spring Cloud Services for VMware Tanzu | 3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | 3.1.27 | None | None |
Spring Cloud Services for VMware Tanzu | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | 2.1.10 | None | None |
Spring Cloud Gateway for VMware Tanzu | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Workaround Pending | None |
Spring Cloud Gateway for Kubernetes | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | 1.0.7 | Workaround Pending | None |
API Portal for VMware Tanzu | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Workaround Pending | None |
Single Sign-On for VMware Tanzu Application Service | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | 1.14.6 | Workaround Pending | None |
App Metrics | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Workaround Pending | None |
VMware vCenter Cloud Gateway | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87081 | None |
VMware vRealize Orchestrator | 8.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87120 | None |
VMware vRealize Orchestrator | 7.6 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87122 | None |
VMware Cloud Foundation | 4.x, 3.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87095 | None |
VMware Workspace ONE Access Connector (VMware Identity Manager Connector) | 21.x, 20.10.x, 19.03.0.1 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87091 | None |
VMware Horizon DaaS | 9.1.x, 9.0.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87101 | None |
VMware Horizon Cloud Connector | 1.x, 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Workaround Pending | None |
VMware NSX Data Center for vSphere | 6.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87099 | None |
VMware AppDefense Appliance | 2.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | UeX 109180 | None |
VMware Cloud Director Object Storage Extension | 2.1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | Workaround Pending | None |
VMware Cloud Director Object Storage Extension | 2.0.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87102 | None |
VMware Telco Cloud Operations | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87143 | None |
VMware vRealize Log Insight | 8.2, 8.3, 8.4, 8.6 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87089 | None |
VMware Tanzu Scheduler | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | 1.6.1 | Article Number 13280 | None |
VMware Smart Assurance NCM | 10.1.6 | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87113 | None |
VMware Smart Assurance SAM [Service Assurance Manager] | 10.1.0.x, 10.1.2, 10.1.5, | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87119 | None |
VMware Integrated OpenStack | 7.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87118 | None |
VMware vRealize Business for Cloud | 7.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87127 | None |
VMware vRealize Network Insight | 5.3, 6.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87135 | None |
VMware Cloud Provider Lifecycle Manager | 1.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | 1.2.0.1 | KB87142 | None |
VMware SD-WAN VCO | 4.x | Any | CVE-2021-44228, CVE-2021-45046 | 10.0, 3.7 | critical | Patch Pending | KB87158 | None |
How do I know which version is my Product?
In the following link you can find the list of build numbers
How to solve the vulnerability?
Applying the workarounds mentioned in the table, depending on the product.
Are there any other recommendations that could be implemented?
You may have other security controls in your environment that can help protect you until you are able to patch. Use network perimeter access controls or NSX IDS/IPS and NDR technologies to detect and contain attacks against your workloads. For Cloud Infrastructure products like VMware vSphere, VMware Cloud Foundation, and VMware Cloud, as well as cloud add-on components like the HCX, Site Recovery Manager, NSX-T, and Cloud Gateway Appliances, we strongly suggest limiting access to management interfaces to only Virtualization Admins. Drive any direct workload management activity through the VM network connections instead of the VM console. This simplifies access control and makes the RDP or ssh management traffic subject to other security controls, such as IDS/IPS and monitoring.
I have VCF, is it also affected?
Yes, because VCF contains several of the affected products. Review this link for products that are only in VCF
Is VMW on AWS also affected?
Cloud-based VMware services are protected and operational. Customers of VMware Cloud on AWS are protected as well. Some customers with overly permissive management gateway firewall rules have had action taken to reduce their exposure from scanning and exploit activity occurring across the Internet. Those affected have seen direct communications from VMware.
Closing Note
For more information, please visit VMSA-2021-0028 Questions & Answers