VMSA-2021-0028: VMware Log4Shell Impact & Remediations

Last Update: 9:48 am EDT, Jan. 10, 2022

• Added new knowledgebase articles for several VMware products detailing mitigations
• Added workaround for VMware vRealize Automation, VMware Workspace ONE Access Connector (VMware Identity Manager Connector), VMware vRealize Orchestrator, VMware AppDefense Appliance, VMware Cloud Director Object Storage Extension, VMware vRealize Log Insight, VMware AppDefense Appliance, VMware Cloud Director Object Storage Extension v2.0.x, VMware vRealize Log Insight, VMware Tanzu Scheduler, VMware Smart Assurance NCM, VMware Smart Assurance SAM [Service Assurance Manager], VMware Integrated OpenStack, VMware vRealize Business for Cloud, VMware vRealize Network Insight
• Updated list of impacted applications
• Corrected VMware Tanzu GemFire entry
• Added mitigation for VMware HCX
• Added mitigations for VMware Cloud Provider Lifecycle Manager ,VMware SD-WAN VCO, VMware NSX-T Intelligence Appliance, VMware Horizon Agents Installer, VMware Tanzu Observability Proxy, VMware Smart Assurance M&R, VMware Harbor Container Registry for TKGI, VMware vRealize Operations Tenant App for VMware Cloud Director

Situation Report: VMSA-2021-0028

A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021. This vulnerability, impacts multiple VMware products. VMware has assigned VMSA-2021-0028 to this issue and has begun to release mitigations. The Randori Attack Team can confirm exploitability of VMWare products in live environments (VMSA-2021-0028) via Log4j (CVE-2021-44228) aka “Log4Shell”. Randori has been in contact with VMware and is providing relevant information to their teams but will not release proof-of-concept code.

This is a critical vulnerability and impacted organizations should take immediate action. This post will be regularly updated, but follow @RandoriAttack for immediate updates. 

Impact

The Log4j 2 library is very frequently used in enterprise Java software. Similarly to other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe there will be an increasing number of vulnerable products discovered in the weeks to come. Randori has validated exploitability with a working exploit, and anticipate widespread exploitation by threat actors imminently. Randori has been in contact with the VMWare team to assist their development of mitigations

Impacted products:

• VMware Horizon (8.x, 7.x)
• VMware vCenter Server (7.x, 6.5.x, 6.7.x)
• VMware HCX (4.1, 4.2, 4.0, 3.x)
• VMware NSX-T Data Center (3.x, 2.x)
• VMware Unified Access Gateway (21.x, 20.x, 3.x)
• VMware Workspace ONE Access (21.x, 20.x)
• VMware Identity Manager (3.x)
• VMware vRealize Operations (8.x)
• VMware vRealize Operations Cloud Proxy (Any)
• VMware vRealize Log Insight (8.x)
• VMware vRealize Automation (8.x, 7.6)
• VMware Telco Cloud Automation (2.x, 1.x)
• VMware Carbon Black Cloud Workload Appliance (1.x)
• VMware Site Recovery Manager (8.x)
• VMware Tanzu Gemfire (1.14.x, 1.13.x, 1.10.x)
• VMware Tanzu Greenplum (6.x)
• VMware Tanzu Operations Manager (2.x)
• VMware Tanzu Application Service for VMs (2.x)
• VMware Tanzu Kubernetes Grid Integrated Edition (1.x)
• VMware Tanzu Observability by Wavefront Nozzle (3.x, 2.x)
• Healthware for Tanzu Application Service (2.x, 1.x)
• Spring Cloud Services for VMware Tanzu (3.x)
• Spring Cloud Gateway for VMware Tanzu (1.x)
• Spring Cloud Gateway for Kubernetes (1.x)
• API Portal for VMware Tanzu (1.x)
• Single Sign-On for VMware Tanzu Application Service (1.x)
• App Metrics (2.x)
• VMware vCenter Cloud Gateway (1.x)
• VMware Tanzu SQL with MySQL for VMs (1.x, 2.x)
• vRealize Orchestrator (7.6, 8.x)
• VMware Cloud Foundation (4.x, 3.x)
• VMware Workspace ONE Access Connector (21.x, 20.10.x, 19.03.0.1)
• VMware Horizon DaaS (9.1.x, 9.0.x)
• VMware Horizon Cloud Connector (1.x, 2.x)
• VMware NSX Data Center for vSphere (6.x)
• VMware AppDefense Appliance (2.x)
• VMware Cloud Director Object Storage Extension (2.1.x, 2.0.x)
• VMware Telco Cloud Operations (1.x)
• VMware vRealize Log Insight (8.2, 8.3, 8.4, 8.6)
• VMware Tanzu Scheduler (1.x)
• VMware Smart Assurance NCM (10.1.6)
• VMware Smart Assurance SAM [Service Assurance Manager] (10.1.2, 10.1.5)
• VMware Integrated OpenStack (7.x)
• VMware vRealize Business for Cloud (7.x)
• VMware vRealize Network Insight (5.3, 6.x)
• VMware Cloud Provider Lifecycle Manager (1.x)
• VMware SD-WAN VCO (4.x)
• VMware NSX-T Intelligence Appliance (1.2.x, 1.1.x)
• VMware Horizon Agents Installer (21.x.x, 20.x.x)
• VMware Tanzu Observability Proxy (10.x)
• VMware Smart Assurance M&R (6.8u5, 7.0u8, 7.2.0.1)
• VMware Harbor Container Registry for TKGI (2.x)
• VMware vRealize Operations Tenant App for VMware Cloud Director (2.5)

Remediations & Recommendations

If running a VMware product impacted by VMSA-2021-0028, Randori recommends organizations take immediate action and do the following: 

• Assume compromise and review logs for signs of malicious activity.
• Configure firewalls to prevent outbound connections.  
• Review VMSA-2021-0028 for mitigations and release of patches. 
• Monitor our Log4Shell Attacker Note for impact of Log4Shell beyond VMware
• Follow @RandoriAttack and @VMWareSRC for updates.

Links to product specific mitigations below: (Last update 4:09 pm ET, Jan. 7, 2022) 

• Table of mitigation status for all products
  • VMware Horizon (KB87073)
  • VMware Horizon DaaS (KB87101)
  • VMware vCenter Server — Virtual Appliance (KB87081)
  • VMware vCenter Server — Windows (KB87096)
  • VMware vCenter Cloud Gateway (KB87081)
  • VMware HCX Cloud Manager (KB86169)
  • VMware HCX (KB87104)
  • VMware NSX-T Datacenter (KB87086)
  • VMware NSX Data Center for vSphere (KB87099)
  • VMware United Access Gateway (KB87092)
  • VMware Workspace ONE Access (KB87090)
  • VMware Workspace ONE Access Connector (VMware Identity Manager Connector) (KB87091)
  • VMware Identity Manager (KB87093)
  • VMware Cloud Foundation (KB87095)
  • VMware vRealize Operations (KB87076)
  • VMware vRealize Operations Cloud Proxy (KB87080)
  • VMware vRealize Automation v8.x (KB87120)
  • VMware vRealize Automation v7.6 (KB87121)
  • VMware vRealize Lifecycle Manager (KB87097)
  • VMware vRealize Log Insight (KB87089)
  • VMware vRealize Orchestrator v8.X (KB87120)
  • VMware vRealize Orchestrator v7.6 (KB87122)
  • VMware Carbon Black Cloud Workload Appliance (UeX 109167)
  • VMWare Carbon Black EDR Server (UeX 109168)
  • VMware Site Recovery Manager, vSphere Replication (KB87098)
  • VMware Tanzu Greenplum (Article #13256)
  • VMware Tanzu GemFire (Article #13262)
  • VMware Tanzu Operations Manager (13264)
  • VMware Tanzu Application Service for VMs (13265)
  • VMware Tanzu Kubernetes Grid Integrated Edition (13263)
  • VMware AppDefense Appliance (UeX 109180)
  • VMware Cloud Director Object Storage Extension v2.0.x (KB87102)
  • VMware vRealize Log Insight (KB87089)
  • VMware Tanzu Scheduler (Article #13280)
  • VMware Smart Assurance NCM (KB87113)
  • VMware Smart Assurance SAM [Service Assurance Manager] (KB87119)
  • VMware Integrated OpenStack (KB87118)
  • VMware vRealize Business for Cloud (KB87127)
  • VMware vRealize Network Insight (KB87135)
  • VMware Cloud Provider Lifecycle Manager (KB87142)
  • VMware SD-WAN VCO (KB87158)
  • VMware NSX-T Intelligence Appliance (KB87150)
  • VMware Horizon Agents Installer (KB87157)
  • VMware Tanzu Observability Proxy (Article Number 13272)
  • VMware Smart Assurance M&R (KB87161)
  • VMware Harbor Container Registry for TKGI (Article Number 13263)
  • VMware vRealize Operations Tenant App for VMware Cloud Director (KB87187)

If anomalies are found, we encourage you to assume this is an active incident, that you have been compromised and respond accordingly. 

Additional Log4j Research from Randori

• CVE-2021-44228 (Log4Shell) Vulnerability Analysis
• Jamf Pro: Log4Shell Impact & Remediation Analysis