VMware Security Announcement VMSA-2021-0028. Critical CVSSv3 score 10

Just released VMSA-2021-0028. This one is pretty scary, as of now there are no patches or workarounds to fix. here is a quick run through. CVSSv3 Score 10 Critical!

Impacted Products (Under Evaluation)
  • VMware Horizon
  • VMware vCenter Server
  • VMware HCX
  • VMware NSX-T Data Center
  • VMware Unified Access Gateway
  • VMware WorkspaceOne Access
  • VMware Identity Manager
  • VMware vRealize Operations
  • VMware vRealize Log Insight
  • VMware vRealize Automation
  • VMware Telco Cloud Automation
  • VMware Site Recovery Manager
  • VMware Carbon Black Cloud Workload Appliance
  • VMware Tanzu GemFire
  • VMware Tanzu Greenplum
  • VMware Tanzu Operations Manager
  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Kubernetes Grid Integrated Edition
  • VMware Tanzu Observability by Wavefront Nozzle
  • Healthwatch for Tanzu Application Service
  • Spring Cloud Services for VMware Tanzu
  • Spring Cloud Gateway for VMware Tanzu
  • Spring Cloud Gateway for Kubernetes
  • API Portal for VMware Tanzu
  • Single Sign-On for VMware Tanzu Application Service
  • (Additional products will be added)
Introduction

A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted VMware products.  

This is an ongoing event, please check this page for frequent updates as they develop.

Problem Description

Description

Remote code execution vulnerability via Apache Log4j.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2021-44228 to this issue.

Known Attack Vectors

A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.

Patches and workarounds are pending, nothing available currently! Stay Tuned

VMSA-2021-0028 (vmware.com)