Apache Log4j Vulnerabilities for VMware vCenter Server and vCenter Cloud Gateway

by Danny Simmons
Senior Systems Engineer


A critical vulnerability in CVE-2021-44228 has been determined to impact vCenter Server 7.0.x, vCenter 6.7.x & vCenter 6.5.x via the Apache Log4j open source component.

VMware expects to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of vCenter Server, as outlined by their software support policies. In the meantime, the version-specific mitigation steps in the following KB should be followed:

Note: VMware cannot guarantee that these steps will adequately address all attack vectors.

There are reports that this vulnerability is being actively exploited:

Additional details on the CVE can be found here:

Helient can offer assistance evaluating the risk and remediating these vulnerabilities or reviewing the overall state of security within your VMware environment. Please contact our experts at service@helient.com.