Technical Guides VMware Horizon Workspace Security

Guidance to VMware Horizon customers regarding Log4j

This post comes from VMware Security Engineering.

In a zero-day situation such as the Apache Software Foundation Log4j vulnerability, cyber criminals are racing to exploit the vulnerabilities identified by CVE-2021-44228 and CVE-2021-45046 before organizations can address them.  

We continue to amplify the message in our security advisory, VMSA-2021-0028, urging customers to address the vulnerability immediately, including with VMware Horizon 8 and Horizon 7.x. 

Note that all internal and external Horizon components including Connection Server, Agent, Cloud Connector and UAG must address the Log4j vulnerabilities in an urgent manner. Customers who have deployed Unified Access Gateway (UAG) as part of their Horizon environment should follow the guidance given in UAG knowledge base article 87092, in addition to the Horizon guidance provided in our advisory.

Due to additional disclosures from Apache Software Foundation, releases were last updated on Dec. 16th and workaround scripts were last updated on Dec. 19th. Either can be used to address CVE-2021-44228 and CVE-2021-45046.

Customers who have not taken steps to protect their Horizon environment, or who followed the guidance prior to these dates, should take the following action:

  • VMware cannot patch on-prem environments, and we need customers to resolve CVE-2021-44228 and CVE-2021-45046 by using one of the fixes provided in Knowledge Base Article 87073. For general guidance, please also review VMware Security Advisory VMSA-2021-0028 and the corresponding Questions & Answers document. VMware support and engineering are on stand-by to support customers as needed. 
  • Organizations who applied workarounds before Dec. 19 should apply the latest workarounds or update the software following the Knowledge Base Article 87073, because additional disclosures from the Apache Software Foundation have been addressed. This KB is being regularly updated in response to evolving information made available by Apache Foundation about the log4j vulnerabilities, and it is recommended you subscribe to it to get regular updates.

While most customers have followed the guidance, those who have not done so remain at risk. The security of our customers is our top priority at VMware, and we encourage immediate action. Customers should also sign up for the VMware Security Announce Mailing List for all future security advisories.