Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.0237.2 VMSA-2021-0028 - VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) 31 January 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Products Publisher: VMware Operating System: VMware ESX Server Virtualisation Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2021-45046 CVE-2021-44228 Reference: ESB-2021.4317 ESB-2021.4198.5 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2021-0028.html Comment: CVSS (Max): 10.0 CVE-2021-44228 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: VMware Revision History: January 31 2022: Vendor revised advisory with updates to multiple products, including vCenter Server. January 20 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory ID: VMSA-2021-0028.10 CVSSv3 Range: 9.0-10.0 Issue Date: 2021-12-10 Updated On: 2022-01-27 CVE(s): CVE-2021-44228, CVE-2021-45046 Synopsis: VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046) 1. Impacted Products o VMware Horizon o VMware vCenter Server o VMware HCX o VMware NSX-T Data Center o VMware Unified Access Gateway o VMware WorkspaceOne Access o VMware Identity Manager o VMware vRealize Operations o VMware vRealize Operations Cloud (Cloud Proxy) o VMware vRealize Automation o VMware vRealize Lifecycle Manager o VMware Site Recovery Manager, vSphere Replication o VMware Carbon Black Cloud Workload Appliance o VMware Carbon Black EDR Server o VMware Tanzu GemFire o VMware Tanzu GemFire for VMs o VMware Tanzu Greenplum Platform Extension Framework o VMware Greenplum Text o VMware Tanzu Operations Manager o VMware Tanzu Application Service for VMs o VMware Tanzu Kubernetes Grid Integrated Edition o VMware Tanzu Observability by Wavefront Nozzle o Healthwatch for Tanzu Application Service o Spring Cloud Services for VMware Tanzu o Spring Cloud Gateway for VMware Tanzu o Spring Cloud Gateway for Kubernetes o API Portal for VMware Tanzu o Single Sign-On for VMware Tanzu Application Service o App Metrics o VMware vCenter Cloud Gateway o VMware vRealize Orchestrator o VMware Cloud Foundation o VMware Workspace ONE Access Connector o VMware Horizon DaaS o VMware Horizon Cloud Connector o VMware NSX Data Center for vSphere o VMware AppDefense Appliance o VMware Cloud Director Object Storage Extension o VMware Telco Cloud Operations o VMware vRealize Log Insight o VMware Tanzu Scheduler o VMware Smart Assurance NCM o VMware Smart Assurance SAM [Service Assurance Manager] o VMware Integrated OpenStack o VMware vRealize Business for Cloud o VMware vRealize Network Insight o VMware Cloud Provider Lifecycle Manager o VMware SD-WAN VCO o VMware NSX Intelligence o VMware Horizon Agents Installer o VMware Tanzu Observability Proxy o VMware Smart Assurance M&R o VMware Harbor Container Registry for TKGI o VMware vRealize Operations Tenant App for VMware Cloud Director o VMware vRealize True Visibility Suite 2. Introduction Critical vulnerabilities in Apache Log4j identified by CVE-2021-44228 and CVE-2021-45046 have been publicly disclosed which impact VMware products. 3. Problem Description Description Multiple products impacted by remote code execution vulnerabilities via Apache Log4j (CVE-2021-44228, CVE-2021-45046). Known Attack Vectors A malicious actor with network access to an impacted VMware product may exploit these issues to gain full control of the target system. Resolution Fixes for CVE-2021-44228 and CVE-2021-45046 are documented in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds Workarounds for CVE-2021-44228 and CVE-2021-45046 are documented in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation None. Acknowledgements None. Notes o 2021/12/10: Exploitation attempts in the wild of CVE-2021-44228 have been confirmed by VMware. o 2021/12/11: A supplemental blog post & frequently asked questions list was created for additional clarification. Please see: https://via.vmw.com/ vmsa-2021-0028-faq o 2021/12/13: Unaffected VMware products can be referred to on the Knowledge Base article: https://kb.vmware.com/s/article/87068 o 2021/12/14: The Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds were not sufficient in removing all possible attack vectors. In addition, a new vulnerability identified by CVE-2021-45046 was published. In response, VMware has aligned with the new guidance and will be updating associated documentation with workarounds and fixes to address both vulnerabilities completely. o 2021/12/17: The Apache Software Foundation updated the severity of CVE-2021-45046 to 9.0, in response we have aligned our advisory. o 2022/01/07: A pair of new vulnerabilities identified by CVE-2021-45105 and CVE-2021-44832 have been disclosed by the Apache Software Foundation that impact log4j releases prior to 2.17.1 in non-default configurations. VMware has investigated and has found no evidence that these vulnerabilities are exploitable in VMware products. Going forward new log4j vulnerabilities will continue to be evaluated to determine severity and applicability to VMware products, but will not be referenced in this advisory. VMware products will update open source components (including log4j) to the latest available versions in future releases. Response Matrix: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation VMware 8.x, 7.x Any CVE-2021-44228, 10.0, critical KB87073 KB87073 None Horizon CVE-2021-45046 9.0 VMware Virtual CVE-2021-44228, 10.0, vCenter 7.x Appliance CVE-2021-45046 9.0 critical 7.0U3c KB87081 None Server VMware 6.7.x, Virtual CVE-2021-44228, 10.0, Patch vCenter 6.5.x Appliance CVE-2021-45046 9.0 critical Pending KB87081 None Server VMware 6.7.x, CVE-2021-44228, 10.0, Patch vCenter 6.5.x Windows CVE-2021-45046 9.0 critical Pending KB87096 None Server VMware HCX 4.3 Any CVE-2021-44228, N/A N/A N/A N/A Not Affected CVE-2021-45046 VMware HCX 4.2.x, Any CVE-2021-44228, 10.0, critical 4.2.4 KB87104 None 4.0.x CVE-2021-45046 9.0 VMware HCX 4.1.x Any CVE-2021-44228, 10.0, critical 4.1.0.3 KB87104 None CVE-2021-45046 9.0 VMware NSX-T 3.1.x Any CVE-2021-44228, 10.0, critical 3.1.3.5 KB87086 None Data Center CVE-2021-45046 9.0 VMware NSX-T 3.0.x Any CVE-2021-44228, 10.0, critical 3.0.3.1 KB87086 None Data Center CVE-2021-45046 9.0 VMware NSX-T 2.x Any CVE-2021-44228, 10.0, critical 2.5.3.4 KB87086 None Data Center CVE-2021-45046 9.0 VMware Unified 21.x, Any CVE-2021-44228, 10.0, critical 2111.1 KB87092 None Access 20.x, 3.x CVE-2021-45046 9.0 Gateway VMware 21.x, CVE-2021-44228, 10.0, Workspace ONE 20.10.x Any CVE-2021-45046 9.0 critical KB87183 KB87090 None Access VMware CVE-2021-44228, 10.0, Identity 3.3.x Any CVE-2021-45046 9.0 critical 3.3.6 KB87093 None Manager VMware Site Recovery CVE-2021-44228, 10.0, Manager, 8.5.x Any CVE-2021-45046 9.0 critical 8.5.0.2 KB87098 None vSphere Replication VMware Site Recovery CVE-2021-44228, 10.0, Manager, 8.4.x Any CVE-2021-45046 9.0 critical 8.4.0.4 KB87098 None vSphere Replication VMware Site Recovery CVE-2021-44228, 10.0, Manager, 8.3.x Any CVE-2021-45046 9.0 critical 8.3.1.5 KB87098 None vSphere Replication VMware Tanzu CVE-2021-44228, 10.0, Article GemFire 9.10.x Any CVE-2021-45046 9.0 critical 9.10.13 Number None 13255 VMware Tanzu CVE-2021-44228, 10.0, Article GemFire 9.9.x Any CVE-2021-45046 9.0 critical 9.9.7 Number None 13255 VMware Tanzu CVE-2021-44228, 10.0, Article GemFire for 1.14.x Any CVE-2021-45046 9.0 critical 1.14.2 Number None VMs 13262 VMware Tanzu CVE-2021-44228, 10.0, Article GemFire for 1.13.x Any CVE-2021-45046 9.0 critical 1.13.5 Number None VMs 13262 VMware Tanzu CVE-2021-44228, 10.0, Article GemFire for 1.12.x Any CVE-2021-45046 9.0 critical 1.12.4 Numer 13262 None VMs VMware Tanzu CVE-2021-44228, 10.0, Article GemFIre for 1.10.x Any CVE-2021-45046 9.0 critical 1.10.9 Number None VMs 13262 VMware Tanzu Greenplum CVE-2021-44228, 10.0, Article Platform 6.x Any CVE-2021-45046 9.0 critical 6.2.2 Number None Extension 13256 Framework VMware CVE-2021-44228, 10.0, Article Greenplum 3.x Any CVE-2021-45046 9.0 critical 3.8.1 Number None Text 13256 VMware Tanzu CVE-2021-44228, 10.0, Article Operations 2.x Any CVE-2021-45046 9.0 critical 2.10.25 Number None Manager 13264 2.6.23, 2.7.44, VMware Tanzu 2.8.30, Article Application 2.x Any CVE-2021-44228, 10.0, critical 2.9.30, Number None Service for CVE-2021-45046 9.0 2.10.24, 13265 VMs 2.11.12 and 2.12.5 VMware Tanzu Kubernetes CVE-2021-44228, 10.0, 1.13.1, Article Grid 1.x Any CVE-2021-45046 9.0 critical 1.10.8 Number None Integrated 13263 Edition VMware Tanzu Observability 3.x, 2.x Any CVE-2021-44228, 10.0, critical 3.0.4 Workaround None by Wavefront CVE-2021-45046 9.0 Pending Nozzle Healthwatch for Tanzu 2.x Any CVE-2021-44228, 10.0, critical 2.1.8 Workaround None Application CVE-2021-45046 9.0 Pending Service Healthwatch for Tanzu 1.x Any CVE-2021-44228, 10.0, critical 1.8.7 Workaround None Application CVE-2021-45046 9.0 Pending Service Spring Cloud CVE-2021-44228, 10.0, Services for 3.x Any CVE-2021-45046 9.0 critical 3.1.27 None None VMware Tanzu Spring Cloud CVE-2021-44228, 10.0, Services for 2.x Any CVE-2021-45046 9.0 critical 2.1.10 None None VMware Tanzu Spring Cloud CVE-2021-44228, 10.0, 1.1.4, Workaround Gateway for 1.x Any CVE-2021-45046 9.0 critical 1.0.19 Pending None VMware Tanzu Spring Cloud CVE-2021-44228, 10.0, Workaround Gateway for 1.x Any CVE-2021-45046 9.0 critical 1.0.7 Pending None Kubernetes API Portal CVE-2021-44228, 10.0, Workaround for VMware 1.x Any CVE-2021-45046 9.0 critical 1.0.8 Pending None Tanzu Single Sign-On for CVE-2021-44228, 10.0, Workaround VMware Tanzu 1.x Any CVE-2021-45046 9.0 critical 1.14.6 Pending None Application Service App Metrics 2.x Any CVE-2021-44228, 10.0, critical 2.1.2 Workaround None CVE-2021-45046 9.0 Pending VMware CVE-2021-44228, 10.0, Patch vCenter Cloud 1.x Any CVE-2021-45046 9.0 critical Pending KB87081 None Gateway VMware Cloud 4.x, 3.x Any CVE-2021-44228, 10.0, critical Patch KB87095 None Foundation CVE-2021-45046 9.0 Pending VMware Workspace ONE Access 21.08.0.1, Connector 21.08, Windows CVE-2021-44228, 10.0, critical KB87184 KB87091 None (VMware 20.10, CVE-2021-45046 9.0 Identity 19.03.0.1 Manager Connector) VMware 9.1.x, Any CVE-2021-44228, 10.0, critical KB87101 KB87101 None Horizon DaaS 9.0.x CVE-2021-45046 9.0 VMware CVE-2021-44228, 10.0, Horizon Cloud 1.x, 2.x Any CVE-2021-45046 9.0 critical 2.1.2 None None Connector VMware NSX CVE-2021-44228, 10.0, Data Center 6.x Any CVE-2021-45046 9.0 critical 6.4.12 KB87099 None for vSphere VMware CVE-2021-44228, 10.0, AppDefense 2.x Any CVE-2021-45046 9.0 critical N/A UeX 109180 None Appliance VMware Cloud Director CVE-2021-44228, 10.0, Object 2.1.x Any CVE-2021-45046 9.0 critical 2.1.0.1 KB87102 None Storage Extension VMware Cloud Director CVE-2021-44228, 10.0, Object 2.0.x Any CVE-2021-45046 9.0 critical 2.0.0.3 KB87102 None Storage Extension VMware Telco CVE-2021-44228, 10.0, Cloud 1.x Any CVE-2021-45046 9.0 critical 1.4.0.1 KB87143 None Operations VMware Tanzu CVE-2021-44228, 10.0, Article Scheduler 1.x Any CVE-2021-45046 9.0 critical 1.6.1 Number None 13280 VMware Smart 10.1.6 Any CVE-2021-44228, 10.0, critical Patch KB87113 None Assurance NCM CVE-2021-45046 9.0 Pending VMware Smart Assurance SAM 10.1.0.x, CVE-2021-44228, 10.0, [Service 10.1.2, Any CVE-2021-45046 9.0 critical 10.1.5.5 KB87119 None Assurance 10.1.5, Manager] VMware CVE-2021-44228, 10.0, Integrated 7.x Any CVE-2021-45046 9.0 critical 7.2 KB87118 None OpenStack VMware Cloud Provider 1.x Any CVE-2021-44228, 10.0, critical 1.2.0.1 KB87142 None Lifecycle CVE-2021-45046 9.0 Manager VMware SD-WAN 4.x Any CVE-2021-44228, 10.0, critical KB87158 KB87158 None VCO CVE-2021-45046 9.0 VMware NSX 1.2.x, Any CVE-2021-44228, 10.0, critical 1.2.1.1 KB87150 None Intelligence 1.1.x CVE-2021-45046 9.0 VMware Horizon 21.x.x, Any CVE-2021-44228, 10.0, critical KB87157 KB87157 None Agents 20.x.x CVE-2021-45046 9.0 Installer VMware Tanzu CVE-2021-44228, 10.0, Article Observability 10.x Any CVE-2021-45046 9.0 critical 10.12 Number None Proxy 13272 VMware Smart 6.8u5, CVE-2021-44228, 10.0, Assurance M&R 7.0u8, Any CVE-2021-45046 9.0 critical KB87161 KB87161 None 7.2.0.1 VMware Harbor Article Container 2.x Any CVE-2021-44228, 10.0, critical 2.4.1 Number None Registry for CVE-2021-45046 9.0 13263 TKGI Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation VMware Carbon Black 1.x Any CVE-2021-44228, 10.0, critical 1.1.2 UeX 190167 None Cloud CVE-2021-45046 9.0 Workload Appliance VMware Carbon 7.x Any CVE-2021-44228, 10.0, critical 7.6.1 UeX 109183 None Black EDR CVE-2021-45046 9.0 Server Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation vRealize 8.x Any CVE-2021-44228, 10.0, critical 8.6.2 KB87120 None Automation CVE-2021-45046 9.0 vRealize 7.6 Any CVE-2021-44228, 10.0, critical Patch KB87121 None Automation CVE-2021-45046 9.0 Pending VMware vRealize 7.x Any CVE-2021-44228, 10.0, critical Patch KB87127 None Business for CVE-2021-45046 9.0 Pending Cloud VMware vRealize 8.x Any CVE-2021-44228, 10.0, critical 8.6.2 KB87097 None Lifecycle CVE-2021-45046 9.0 Manager VMware CVE-2021-44228, 10.0, vRealize Log 8.x Any CVE-2021-45046 9.0 critical 8.6.2 KB87089 None Insight VMware vRealize 6.x, Any CVE-2021-44228, 10.0, critical 6.5 KB87135 None Network 5.3 CVE-2021-45046 9.0 Insight VMware CVE-2021-44228, 10.0, vRealize 8.x Any CVE-2021-45046 9.0 critical KB87076 KB87076 None Operations VMware vRealize CVE-2021-44228, 10.0, Operations Any Any CVE-2021-45046 9.0 critical 8.6.2 KB87080 None Cloud (Cloud Proxy) VMware vRealize Operations CVE-2021-44228, 10.0, Tenant App 2.5 Any CVE-2021-45046 9.0 critical 2.5.1 KB87187 None for VMware Cloud Director VMware CVE-2021-44228, 10.0, vRealize 8.x Any CVE-2021-45046 9.0 critical 8.6.2 KB87120 None Orchestrator VMware CVE-2021-44228, 10.0, Patch vRealize 7.6 Any CVE-2021-45046 9.0 critical Pending KB87122 None Orchestrator VMware vRealize CVE-2021-44228, 10.0, True Any Any CVE-2021-45046 9.0 critical KB87136 KB87136 None Visibility Suite 4. References FIRST CVSSv3 Calculator: CVE-2021-44228: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:C/C:H/I:H/A:H (10.0) CVE-2021-45046: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/ PR:N/UI:N/S:C/C:H/I:H/A:H (9.0) Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 5. Change Log 2021-12-10: VMSA-2021-0028 Initial security advisory. 2021-12-11: VMSA-2021-0028.1 Updated advisory with workaround information for multiple products including vCenter Server Appliance, vRealize Operations, Horizon, vRealize Log Insight, Unified Access Gateway. 2021-12-13: VMSA-2021-0028.2 Revised advisory with updates to multiple products. 2021-12-15: VMSA-2021-0028.3 Revised advisory with updates to multiple products. In addition, added CVE-2021-45046 information and noted alignment with new Apache Software Foundation guidance. 2021-12-17: VMSA-2021-0028.4 Revised advisory with updates to multiple products. 2021-12-20: VMSA-2021-0028.5 Added a note on current CVE-2021-45105 investigations. 2021-12-21: VMSA-2021-0028.6 Revised advisory with updates to multiple products, including vRealize Operations and vRealize Log Insight. 2021-12-22: VMSA-2021-0028.7 Revised advisory with updates to multiple products, including HCX. 2021-12-24: VMSA-2021-0028.8 Revised advisory with updates to multiple products, including NSX-T, TKGI and Greenplum. 2022-01-19: VMSA-2021-0028.9 Revised advisory with updates to multiple products, including vRealize Automation, vRealize Orchestrator, NSX Intelligence, and vRealize Lifecycle Manager. 2022-01-27: VMSA-2022-0028.10 Revised advisory with updates to multiple products, including vCenter Server. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYfdsJONLKJtyKPYoAQhewhAAoTzThq441VKlJco6fJJZ3aFxjpJNr4uv +LVX9kzDMUmrEUd0lE/yaWOG+xW45N/wHclHoV8N/6Zf4ZUnJGpd2xICTSKEtD1X ple2ItLERn33SsE48zhUpN5re6E7+u2tAKGP3kvXZECkA/mY9Nxuk1YY6Du1jpuR D979OrbmfWzcKYVtbdVhiood/oFQbIeB2xUFiL8eQx1Cp/MLxFuIiZDmcgC5+Vcw UrvHJoJG24p+Xea6fX6SjMMyyXMhKO1b3u79b/EHcjou9HLDd6rikI4KbbD7ShIx EFzse9Mr84AwN1ZSZIP2LiRuqjJZ0j70JDGhQcU+3N4LOo74U9Qayfgd7G/kZHH8 CEI0wIiKAPkyq7eEHS3v2p6UHwTerANevB7wbx0Igu1z6bODgSsqTblXNlYsZ1zM JCRcAtsozxjAuqHpYbjS06RvUYk+lB435/QoryHMItg5RR3IZs1zO/DvauGp2DaJ D4oCyGnZSsjUWAxFPILm29tdXFKSCPDBgIN4MwcgNxWbtdZT7D/TaEaG8lzSjKfL 8YliFD+da8SqeB2JWFSuWAq1GXHSIjBr9AGGnT4AG1mlLsyFPwR+o4XDM8Sb33L0 VPNKVOrIMtm9KrlZNg4IUb0NFmG2smr7qFAOeeQe2sLmZwFl2M6cn3V/u3nVd1Mm 8aCWvJY4nD0= =T5lm -----END PGP SIGNATURE-----