Critical Vulnerability in Apache Log4j CVE-2021-44228 is VMware affected?

Well, unfortunately, it seems like we are ending the year on a dangerous critical vulnerability. Just a couple of days ago, a critical vulnerability in Apache Log4j identified by CVE-2021-44228 was posted. It is a bad one. We are going to take a brief look at what the vulnerability described in CVE-2021-44228 is exactly. Also, we will look at critical vulnerability in Apache Log4j CVE-2021-44228 is VMware affected to see what if any products may be vulnerable to this extremely nasty vulnerability.

What is the cve-2021-44228 critical vulnerability?

The CVE-2021-44228 vulnerability is also referred to as Log4Shell or LogJam. It is a remote execution vulnerability that affects Apache Log4J library, specifically all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.14.1. What is this library? It is a library that is used as part of the Apache Logging Project. The bad thing is this is one of the most common and popular logging libraries used by Java developers.

It includes libraries that are used by large software development companies that are used across the enterprise, including Amazon, Apple, Cisco, Cloudflare, Tesla, Twitter, and yes, VMware.

The bad thing is this vulnerability is literally everywhere and a patched version of code is not available as of yet to all products that are using it, which is dangerous. Most likely due to its popularity and prevalence everywhere, it will be actively exploited over the next few days by attackers.

The nature of what it allows attackers to do is extremely bad as well. If attackers manage to exploit it on an affected server, they can gain the ability to execute arbitrary code and take full control of a system. Also alarming, it is extremely easy to exploit.

Attackers only need to write just one string to the log. After the string is written, they can then upload malicious code to the application. The reason for this is the compromised “message lookup substitution” function.

Also, there are already working concepts available on the Internet for this vulnerability. See https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/

The easiest workaround is to install the most recent version of the Apache Log4j library, 2.15.0. However, the problem is, most enterprises are using commercially available solutions and products that are using the Log4j library. It means you can’t just replace the library out of band (or at least not without official guidance), and patches will need to be released and tested.

Another workaround that is documented as a workaround, directly from the Apache Foundation is from 2.10 to 2.14.1, they advise setting the log4j2.formatMsgNoLookups system property, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.

So, what this means is organizations will need to keep their ear to the ground on all discovered applications that are using the Apache Log4j library and make sure they get the appropriate patches installed the remediate this vulnerability.

Critical Vulnerability in Apache Log4j CVE-2021-44228 is VMware affected?

Unfortunately, like many large software development companies, VMware is affected by this vulnerability. According to the official VMSA-2021-0028.1, the following products are known as affected. However, keep in mind this list is in flux and may be extended:

• VMware Horizon
• VMware vCenter Server
• VMware HCX
• VMware NSX-T Data Center
• VMware Unified Access Gateway
• VMware WorkspaceOne Access
• VMware Identity Manager 
• VMware vRealize Operations
• VMware vRealize Operations Cloud Proxy
• VMware vRealize Log Insight
• VMware vRealize Automation
• VMware vRealize Lifecycle Manager
• VMware Telco Cloud Automation
• VMware Site Recovery Manager
• VMware Carbon Black Cloud Workload Appliance
• VMware Carbon Black EDR Server
• VMware Tanzu GemFire
• VMware Tanzu Greenplum
• VMware Tanzu Operations Manager
• VMware Tanzu Application Service for VMs
• VMware Tanzu Kubernetes Grid Integrated Edition
• VMware Tanzu Observability by Wavefront Nozzle
• Healthwatch for Tanzu Application Service
• Spring Cloud Services for VMware Tanzu
• Spring Cloud Gateway for VMware Tanzu
• Spring Cloud Gateway for Kubernetes
• API Portal for VMware Tanzu
• Single Sign-On for VMware Tanzu Application Service
• App Metrics
• VMware vCenter Cloud Gateway
• VMware Tanzu SQL with MySQL for VMs
• VMware vRealize Orchestrator
• VMware Cloud Foundation
• VMware Workspace ONE Access Connector
• VMware Horizon DaaS
• VMware Horizon Cloud Connector
• (Additional products will be added)

Note the following workarounds listed in the official VMSA linked above, with the KB articles listed for the workarounds. Keep in mind the CVSSv3 rating is 10.0 (as bad as it can get).

Wrapping Up

Folks, this Critical Vulnerability in Apache Log4j CVE-2021-44228 is definitely one to pay attention to as it affects products and solutions across the board. I suspect companies will be scrambling over the next few days to perform discovery of products affected. One this is for sure, most vendors are affected as they have used this particular library across solutions making use of embedded JAVA components. Stay tuned here as I will post more information as these details become available.