VMSA-2021-0028: Critical VMware Security Advisory (Multiple Products; Apache Log4j Vulnerability)
On Friday, December 10, 2021, VMware released VMware Security Advisory VMSA-2021-0028 affecting numerous VMware products including vCenter Server. This advisory is re: Apache Log4j vulnerability CVE-2021-44228 with a CVSSv3 score of 10 out of 10.
Resources:
VMSA-2021-0028: https://www.vmware.com/security/advisories/VMSA-2021-0028.html
FAQ: https://via.vmw.com/vmsa-2021-0028-faq
Unaffected VMware products can be referred to on the Knowledge Base article: https://kb.vmware.com/s/article/87068
VMware Blog “Investigating the Log4j Vulnerability”: https://blogs.vmware.com/security/2021/12/investigating-cve-2021-44228-log4shell-vulnerability.html
The key takeaway is that IMMEDIATE ACTION IS REQUIRED. Workaround should be applied to all running products immediately.
This is being actively exploited in the wild, and should be treated as an emergency change with highest priority.
This vulnerability is in the open-source Apache Log4j Java logging library, which is used in numerous software packages. This is not a VMware-specific issue.
Additional background information:
Tech Solvency Log4Shell log4j vulnerability (CVE-2021-44228) – cheat-sheet reference guide