by Danny Simmons
Senior Systems Engineer
A critical vulnerability in CVE-2021-44228 has been determined to impact vCenter Server 7.0.x, vCenter 6.7.x & vCenter 6.5.x via the Apache Log4j open source component.
VMware expects to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of vCenter Server, as outlined by their software support policies. In the meantime, the version-specific mitigation steps in the following KB should be followed:
Note: VMware cannot guarantee that these steps will adequately address all attack vectors.
There are reports that this vulnerability is being actively exploited:
Additional details on the CVE can be found here:
Helient can offer assistance evaluating the risk and remediating these vulnerabilities or reviewing the overall state of security within your VMware environment. Please contact our experts at firstname.lastname@example.org.