Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0237.2
VMSA-2021-0028 - VMware Response to Apache Log4j Remote Code
Execution Vulnerability (CVE-2021-44228)
31 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware Products
Publisher: VMware
Operating System: VMware ESX Server
Virtualisation
Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2021-45046 CVE-2021-44228
Reference: ESB-2021.4317
ESB-2021.4198.5
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Comment: CVSS (Max): 10.0 CVE-2021-44228 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: VMware
Revision History: January 31 2022: Vendor revised advisory with updates to multiple products, including vCenter Server.
January 20 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory ID: VMSA-2021-0028.10
CVSSv3 Range: 9.0-10.0
Issue Date: 2021-12-10
Updated On: 2022-01-27
CVE(s): CVE-2021-44228, CVE-2021-45046
Synopsis: VMware Response to Apache Log4j Remote Code Execution Vulnerabilities
(CVE-2021-44228, CVE-2021-45046)
1. Impacted Products
o VMware Horizon
o VMware vCenter Server
o VMware HCX
o VMware NSX-T Data Center
o VMware Unified Access Gateway
o VMware WorkspaceOne Access
o VMware Identity Manager
o VMware vRealize Operations
o VMware vRealize Operations Cloud (Cloud Proxy)
o VMware vRealize Automation
o VMware vRealize Lifecycle Manager
o VMware Site Recovery Manager, vSphere Replication
o VMware Carbon Black Cloud Workload Appliance
o VMware Carbon Black EDR Server
o VMware Tanzu GemFire
o VMware Tanzu GemFire for VMs
o VMware Tanzu Greenplum Platform Extension Framework
o VMware Greenplum Text
o VMware Tanzu Operations Manager
o VMware Tanzu Application Service for VMs
o VMware Tanzu Kubernetes Grid Integrated Edition
o VMware Tanzu Observability by Wavefront Nozzle
o Healthwatch for Tanzu Application Service
o Spring Cloud Services for VMware Tanzu
o Spring Cloud Gateway for VMware Tanzu
o Spring Cloud Gateway for Kubernetes
o API Portal for VMware Tanzu
o Single Sign-On for VMware Tanzu Application Service
o App Metrics
o VMware vCenter Cloud Gateway
o VMware vRealize Orchestrator
o VMware Cloud Foundation
o VMware Workspace ONE Access Connector
o VMware Horizon DaaS
o VMware Horizon Cloud Connector
o VMware NSX Data Center for vSphere
o VMware AppDefense Appliance
o VMware Cloud Director Object Storage Extension
o VMware Telco Cloud Operations
o VMware vRealize Log Insight
o VMware Tanzu Scheduler
o VMware Smart Assurance NCM
o VMware Smart Assurance SAM [Service Assurance Manager]
o VMware Integrated OpenStack
o VMware vRealize Business for Cloud
o VMware vRealize Network Insight
o VMware Cloud Provider Lifecycle Manager
o VMware SD-WAN VCO
o VMware NSX Intelligence
o VMware Horizon Agents Installer
o VMware Tanzu Observability Proxy
o VMware Smart Assurance M&R
o VMware Harbor Container Registry for TKGI
o VMware vRealize Operations Tenant App for VMware Cloud Director
o VMware vRealize True Visibility Suite
2. Introduction
Critical vulnerabilities in Apache Log4j identified by CVE-2021-44228 and
CVE-2021-45046 have been publicly disclosed which impact VMware products.
3. Problem Description
Description
Multiple products impacted by remote code execution vulnerabilities via Apache
Log4j (CVE-2021-44228, CVE-2021-45046).
Known Attack Vectors
A malicious actor with network access to an impacted VMware product may exploit
these issues to gain full control of the target system.
Resolution
Fixes for CVE-2021-44228 and CVE-2021-45046 are documented in the 'Fixed
Version' column of the 'Response Matrix' below.
Workarounds
Workarounds for CVE-2021-44228 and CVE-2021-45046 are documented in the
'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
None.
Acknowledgements
None.
Notes
o 2021/12/10: Exploitation attempts in the wild of CVE-2021-44228 have been
confirmed by VMware.
o 2021/12/11: A supplemental blog post & frequently asked questions list was
created for additional clarification. Please see: https://via.vmw.com/
vmsa-2021-0028-faq
o 2021/12/13: Unaffected VMware products can be referred to on the Knowledge
Base article: https://kb.vmware.com/s/article/87068
o 2021/12/14: The Apache Software Foundation notified the community that
their initial guidance for CVE-2021-44228 workarounds were not sufficient
in removing all possible attack vectors. In addition, a new vulnerability
identified by CVE-2021-45046 was published. In response, VMware has aligned
with the new guidance and will be updating associated documentation with
workarounds and fixes to address both vulnerabilities completely.
o 2021/12/17: The Apache Software Foundation updated the severity of
CVE-2021-45046 to 9.0, in response we have aligned our advisory.
o 2022/01/07: A pair of new vulnerabilities identified by CVE-2021-45105 and
CVE-2021-44832 have been disclosed by the Apache Software Foundation that
impact log4j releases prior to 2.17.1 in non-default configurations. VMware
has investigated and has found no evidence that these vulnerabilities are
exploitable in VMware products. Going forward new log4j vulnerabilities
will continue to be evaluated to determine severity and applicability to
VMware products, but will not be referenced in this advisory. VMware
products will update open source components (including log4j) to the latest
available versions in future releases.
Response Matrix:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
VMware 8.x, 7.x Any CVE-2021-44228, 10.0, critical KB87073 KB87073 None
Horizon CVE-2021-45046 9.0
VMware Virtual CVE-2021-44228, 10.0,
vCenter 7.x Appliance CVE-2021-45046 9.0 critical 7.0U3c KB87081 None
Server
VMware 6.7.x, Virtual CVE-2021-44228, 10.0, Patch
vCenter 6.5.x Appliance CVE-2021-45046 9.0 critical Pending KB87081 None
Server
VMware 6.7.x, CVE-2021-44228, 10.0, Patch
vCenter 6.5.x Windows CVE-2021-45046 9.0 critical Pending KB87096 None
Server
VMware HCX 4.3 Any CVE-2021-44228, N/A N/A N/A N/A Not Affected
CVE-2021-45046
VMware HCX 4.2.x, Any CVE-2021-44228, 10.0, critical 4.2.4 KB87104 None
4.0.x CVE-2021-45046 9.0
VMware HCX 4.1.x Any CVE-2021-44228, 10.0, critical 4.1.0.3 KB87104 None
CVE-2021-45046 9.0
VMware NSX-T 3.1.x Any CVE-2021-44228, 10.0, critical 3.1.3.5 KB87086 None
Data Center CVE-2021-45046 9.0
VMware NSX-T 3.0.x Any CVE-2021-44228, 10.0, critical 3.0.3.1 KB87086 None
Data Center CVE-2021-45046 9.0
VMware NSX-T 2.x Any CVE-2021-44228, 10.0, critical 2.5.3.4 KB87086 None
Data Center CVE-2021-45046 9.0
VMware
Unified 21.x, Any CVE-2021-44228, 10.0, critical 2111.1 KB87092 None
Access 20.x, 3.x CVE-2021-45046 9.0
Gateway
VMware 21.x, CVE-2021-44228, 10.0,
Workspace ONE 20.10.x Any CVE-2021-45046 9.0 critical KB87183 KB87090 None
Access
VMware CVE-2021-44228, 10.0,
Identity 3.3.x Any CVE-2021-45046 9.0 critical 3.3.6 KB87093 None
Manager
VMware Site
Recovery CVE-2021-44228, 10.0,
Manager, 8.5.x Any CVE-2021-45046 9.0 critical 8.5.0.2 KB87098 None
vSphere
Replication
VMware Site
Recovery CVE-2021-44228, 10.0,
Manager, 8.4.x Any CVE-2021-45046 9.0 critical 8.4.0.4 KB87098 None
vSphere
Replication
VMware Site
Recovery CVE-2021-44228, 10.0,
Manager, 8.3.x Any CVE-2021-45046 9.0 critical 8.3.1.5 KB87098 None
vSphere
Replication
VMware Tanzu CVE-2021-44228, 10.0, Article
GemFire 9.10.x Any CVE-2021-45046 9.0 critical 9.10.13 Number None
13255
VMware Tanzu CVE-2021-44228, 10.0, Article
GemFire 9.9.x Any CVE-2021-45046 9.0 critical 9.9.7 Number None
13255
VMware Tanzu CVE-2021-44228, 10.0, Article
GemFire for 1.14.x Any CVE-2021-45046 9.0 critical 1.14.2 Number None
VMs 13262
VMware Tanzu CVE-2021-44228, 10.0, Article
GemFire for 1.13.x Any CVE-2021-45046 9.0 critical 1.13.5 Number None
VMs 13262
VMware Tanzu CVE-2021-44228, 10.0, Article
GemFire for 1.12.x Any CVE-2021-45046 9.0 critical 1.12.4 Numer 13262 None
VMs
VMware Tanzu CVE-2021-44228, 10.0, Article
GemFIre for 1.10.x Any CVE-2021-45046 9.0 critical 1.10.9 Number None
VMs 13262
VMware Tanzu
Greenplum CVE-2021-44228, 10.0, Article
Platform 6.x Any CVE-2021-45046 9.0 critical 6.2.2 Number None
Extension 13256
Framework
VMware CVE-2021-44228, 10.0, Article
Greenplum 3.x Any CVE-2021-45046 9.0 critical 3.8.1 Number None
Text 13256
VMware Tanzu CVE-2021-44228, 10.0, Article
Operations 2.x Any CVE-2021-45046 9.0 critical 2.10.25 Number None
Manager 13264
2.6.23,
2.7.44,
VMware Tanzu 2.8.30, Article
Application 2.x Any CVE-2021-44228, 10.0, critical 2.9.30, Number None
Service for CVE-2021-45046 9.0 2.10.24, 13265
VMs 2.11.12
and
2.12.5
VMware Tanzu
Kubernetes CVE-2021-44228, 10.0, 1.13.1, Article
Grid 1.x Any CVE-2021-45046 9.0 critical 1.10.8 Number None
Integrated 13263
Edition
VMware Tanzu
Observability 3.x, 2.x Any CVE-2021-44228, 10.0, critical 3.0.4 Workaround None
by Wavefront CVE-2021-45046 9.0 Pending
Nozzle
Healthwatch
for Tanzu 2.x Any CVE-2021-44228, 10.0, critical 2.1.8 Workaround None
Application CVE-2021-45046 9.0 Pending
Service
Healthwatch
for Tanzu 1.x Any CVE-2021-44228, 10.0, critical 1.8.7 Workaround None
Application CVE-2021-45046 9.0 Pending
Service
Spring Cloud CVE-2021-44228, 10.0,
Services for 3.x Any CVE-2021-45046 9.0 critical 3.1.27 None None
VMware Tanzu
Spring Cloud CVE-2021-44228, 10.0,
Services for 2.x Any CVE-2021-45046 9.0 critical 2.1.10 None None
VMware Tanzu
Spring Cloud CVE-2021-44228, 10.0, 1.1.4, Workaround
Gateway for 1.x Any CVE-2021-45046 9.0 critical 1.0.19 Pending None
VMware Tanzu
Spring Cloud CVE-2021-44228, 10.0, Workaround
Gateway for 1.x Any CVE-2021-45046 9.0 critical 1.0.7 Pending None
Kubernetes
API Portal CVE-2021-44228, 10.0, Workaround
for VMware 1.x Any CVE-2021-45046 9.0 critical 1.0.8 Pending None
Tanzu
Single
Sign-On for CVE-2021-44228, 10.0, Workaround
VMware Tanzu 1.x Any CVE-2021-45046 9.0 critical 1.14.6 Pending None
Application
Service
App Metrics 2.x Any CVE-2021-44228, 10.0, critical 2.1.2 Workaround None
CVE-2021-45046 9.0 Pending
VMware CVE-2021-44228, 10.0, Patch
vCenter Cloud 1.x Any CVE-2021-45046 9.0 critical Pending KB87081 None
Gateway
VMware Cloud 4.x, 3.x Any CVE-2021-44228, 10.0, critical Patch KB87095 None
Foundation CVE-2021-45046 9.0 Pending
VMware
Workspace ONE
Access 21.08.0.1,
Connector 21.08, Windows CVE-2021-44228, 10.0, critical KB87184 KB87091 None
(VMware 20.10, CVE-2021-45046 9.0
Identity 19.03.0.1
Manager
Connector)
VMware 9.1.x, Any CVE-2021-44228, 10.0, critical KB87101 KB87101 None
Horizon DaaS 9.0.x CVE-2021-45046 9.0
VMware CVE-2021-44228, 10.0,
Horizon Cloud 1.x, 2.x Any CVE-2021-45046 9.0 critical 2.1.2 None None
Connector
VMware NSX CVE-2021-44228, 10.0,
Data Center 6.x Any CVE-2021-45046 9.0 critical 6.4.12 KB87099 None
for vSphere
VMware CVE-2021-44228, 10.0,
AppDefense 2.x Any CVE-2021-45046 9.0 critical N/A UeX 109180 None
Appliance
VMware Cloud
Director CVE-2021-44228, 10.0,
Object 2.1.x Any CVE-2021-45046 9.0 critical 2.1.0.1 KB87102 None
Storage
Extension
VMware Cloud
Director CVE-2021-44228, 10.0,
Object 2.0.x Any CVE-2021-45046 9.0 critical 2.0.0.3 KB87102 None
Storage
Extension
VMware Telco CVE-2021-44228, 10.0,
Cloud 1.x Any CVE-2021-45046 9.0 critical 1.4.0.1 KB87143 None
Operations
VMware Tanzu CVE-2021-44228, 10.0, Article
Scheduler 1.x Any CVE-2021-45046 9.0 critical 1.6.1 Number None
13280
VMware Smart 10.1.6 Any CVE-2021-44228, 10.0, critical Patch KB87113 None
Assurance NCM CVE-2021-45046 9.0 Pending
VMware Smart
Assurance SAM 10.1.0.x, CVE-2021-44228, 10.0,
[Service 10.1.2, Any CVE-2021-45046 9.0 critical 10.1.5.5 KB87119 None
Assurance 10.1.5,
Manager]
VMware CVE-2021-44228, 10.0,
Integrated 7.x Any CVE-2021-45046 9.0 critical 7.2 KB87118 None
OpenStack
VMware Cloud
Provider 1.x Any CVE-2021-44228, 10.0, critical 1.2.0.1 KB87142 None
Lifecycle CVE-2021-45046 9.0
Manager
VMware SD-WAN 4.x Any CVE-2021-44228, 10.0, critical KB87158 KB87158 None
VCO CVE-2021-45046 9.0
VMware NSX 1.2.x, Any CVE-2021-44228, 10.0, critical 1.2.1.1 KB87150 None
Intelligence 1.1.x CVE-2021-45046 9.0
VMware
Horizon 21.x.x, Any CVE-2021-44228, 10.0, critical KB87157 KB87157 None
Agents 20.x.x CVE-2021-45046 9.0
Installer
VMware Tanzu CVE-2021-44228, 10.0, Article
Observability 10.x Any CVE-2021-45046 9.0 critical 10.12 Number None
Proxy 13272
VMware Smart 6.8u5, CVE-2021-44228, 10.0,
Assurance M&R 7.0u8, Any CVE-2021-45046 9.0 critical KB87161 KB87161 None
7.2.0.1
VMware Harbor Article
Container 2.x Any CVE-2021-44228, 10.0, critical 2.4.1 Number None
Registry for CVE-2021-45046 9.0 13263
TKGI
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
VMware
Carbon
Black 1.x Any CVE-2021-44228, 10.0, critical 1.1.2 UeX 190167 None
Cloud CVE-2021-45046 9.0
Workload
Appliance
VMware
Carbon 7.x Any CVE-2021-44228, 10.0, critical 7.6.1 UeX 109183 None
Black EDR CVE-2021-45046 9.0
Server
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
vRealize 8.x Any CVE-2021-44228, 10.0, critical 8.6.2 KB87120 None
Automation CVE-2021-45046 9.0
vRealize 7.6 Any CVE-2021-44228, 10.0, critical Patch KB87121 None
Automation CVE-2021-45046 9.0 Pending
VMware
vRealize 7.x Any CVE-2021-44228, 10.0, critical Patch KB87127 None
Business for CVE-2021-45046 9.0 Pending
Cloud
VMware
vRealize 8.x Any CVE-2021-44228, 10.0, critical 8.6.2 KB87097 None
Lifecycle CVE-2021-45046 9.0
Manager
VMware CVE-2021-44228, 10.0,
vRealize Log 8.x Any CVE-2021-45046 9.0 critical 8.6.2 KB87089 None
Insight
VMware
vRealize 6.x, Any CVE-2021-44228, 10.0, critical 6.5 KB87135 None
Network 5.3 CVE-2021-45046 9.0
Insight
VMware CVE-2021-44228, 10.0,
vRealize 8.x Any CVE-2021-45046 9.0 critical KB87076 KB87076 None
Operations
VMware
vRealize CVE-2021-44228, 10.0,
Operations Any Any CVE-2021-45046 9.0 critical 8.6.2 KB87080 None
Cloud (Cloud
Proxy)
VMware
vRealize
Operations CVE-2021-44228, 10.0,
Tenant App 2.5 Any CVE-2021-45046 9.0 critical 2.5.1 KB87187 None
for VMware
Cloud
Director
VMware CVE-2021-44228, 10.0,
vRealize 8.x Any CVE-2021-45046 9.0 critical 8.6.2 KB87120 None
Orchestrator
VMware CVE-2021-44228, 10.0, Patch
vRealize 7.6 Any CVE-2021-45046 9.0 critical Pending KB87122 None
Orchestrator
VMware
vRealize CVE-2021-44228, 10.0,
True Any Any CVE-2021-45046 9.0 critical KB87136 KB87136 None
Visibility
Suite
4. References
FIRST CVSSv3 Calculator:
CVE-2021-44228: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)
CVE-2021-45046: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/
PR:N/UI:N/S:C/C:H/I:H/A:H (9.0)
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
5. Change Log
2021-12-10: VMSA-2021-0028
Initial security advisory.
2021-12-11: VMSA-2021-0028.1
Updated advisory with workaround information for multiple products including
vCenter Server Appliance, vRealize Operations, Horizon, vRealize Log Insight,
Unified Access Gateway.
2021-12-13: VMSA-2021-0028.2
Revised advisory with updates to multiple products.
2021-12-15: VMSA-2021-0028.3
Revised advisory with updates to multiple products. In addition, added
CVE-2021-45046 information and noted alignment with new Apache Software
Foundation guidance.
2021-12-17: VMSA-2021-0028.4
Revised advisory with updates to multiple products.
2021-12-20: VMSA-2021-0028.5
Added a note on current CVE-2021-45105 investigations.
2021-12-21: VMSA-2021-0028.6
Revised advisory with updates to multiple products, including vRealize
Operations and vRealize Log Insight.
2021-12-22: VMSA-2021-0028.7
Revised advisory with updates to multiple products, including HCX.
2021-12-24: VMSA-2021-0028.8
Revised advisory with updates to multiple products, including NSX-T, TKGI and
Greenplum.
2022-01-19: VMSA-2021-0028.9
Revised advisory with updates to multiple products, including vRealize
Automation, vRealize Orchestrator, NSX Intelligence, and vRealize Lifecycle
Manager.
2022-01-27: VMSA-2022-0028.10
Revised advisory with updates to multiple products, including vCenter Server.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYfdsJONLKJtyKPYoAQhewhAAoTzThq441VKlJco6fJJZ3aFxjpJNr4uv
+LVX9kzDMUmrEUd0lE/yaWOG+xW45N/wHclHoV8N/6Zf4ZUnJGpd2xICTSKEtD1X
ple2ItLERn33SsE48zhUpN5re6E7+u2tAKGP3kvXZECkA/mY9Nxuk1YY6Du1jpuR
D979OrbmfWzcKYVtbdVhiood/oFQbIeB2xUFiL8eQx1Cp/MLxFuIiZDmcgC5+Vcw
UrvHJoJG24p+Xea6fX6SjMMyyXMhKO1b3u79b/EHcjou9HLDd6rikI4KbbD7ShIx
EFzse9Mr84AwN1ZSZIP2LiRuqjJZ0j70JDGhQcU+3N4LOo74U9Qayfgd7G/kZHH8
CEI0wIiKAPkyq7eEHS3v2p6UHwTerANevB7wbx0Igu1z6bODgSsqTblXNlYsZ1zM
JCRcAtsozxjAuqHpYbjS06RvUYk+lB435/QoryHMItg5RR3IZs1zO/DvauGp2DaJ
D4oCyGnZSsjUWAxFPILm29tdXFKSCPDBgIN4MwcgNxWbtdZT7D/TaEaG8lzSjKfL
8YliFD+da8SqeB2JWFSuWAq1GXHSIjBr9AGGnT4AG1mlLsyFPwR+o4XDM8Sb33L0
VPNKVOrIMtm9KrlZNg4IUb0NFmG2smr7qFAOeeQe2sLmZwFl2M6cn3V/u3nVd1Mm
8aCWvJY4nD0=
=T5lm
-----END PGP SIGNATURE-----