Apache Log4j Vulnerabilities for VMware vCenter Server and vCenter Cloud Gateway

by Danny Simmons
Senior Systems Engineer

Summary

A critical vulnerability in CVE-2021-44228 has been determined to impact vCenter Server 7.0.x, vCenter 6.7.x & vCenter 6.5.x via the Apache Log4j open source component.

VMware expects to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of vCenter Server, as outlined by their software support policies. In the meantime, the version-specific mitigation steps in the following KB should be followed:

• https://kb.vmware.com/s/article/87081?lang=en_US

Note: VMware cannot guarantee that these steps will adequately address all attack vectors.

There are reports that this vulnerability is being actively exploited:
https://www.bleepingcomputer.com/news/security/conti-ransomware-uses-log4j-bug-to-hack-vmware-vcenter-servers/

Additional details on the CVE can be found here:
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Helient can offer assistance evaluating the risk and remediating these vulnerabilities or reviewing the overall state of security within your VMware environment. Please contact our experts at service@helient.com.