We continue to look at how to mitigate the log4j vulnerability, in this post we look at horizon connection servers in detail.
As indicated by the VMware KB
![](https://vmvirtual.blog/wp-content/uploads/2021/12/image-2-1024x366.png)
only the connection servers where the HTML Access Portal is active are vulnerable. But all versions are subject to vulnerability.
I recommend applying the workaround even if the HTML Access Portal is not active.
Again as indicated in the previously cited KB we have two possibilities:
- Change the following registry key
1. Edit this registry value:
HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params\JVMOptions
2. Append a single space character followed by this text: -Dlog4j2.formatMsgNoLookups=true
3. Exit the registry editor and restart the Connection Server service or reboot the machine
- Run the following script as administrator.
@echo off setlocal goto start __________________________________________________ CVE-2021-44228 - Prevent log4j parameter expansion Horizon Connection Server 7.x, 8.x VMware, Inc. 2021 __________________________________________________ :start set sigpath=HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService for /f "delims=" %%g in ('reg.exe query "%sigpath%" /v Filename') do set sigval=%%g if "%sigval%"=="" goto notneeded set killflag=-Dlog4j2.formatMsgNoLookups=true set svcpath=HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params for /f "tokens=2*" %%v in ('reg.exe query "%svcpath%" /v JVMOptions') do set svcval=%%w echo %svcval%|find " %killflag%" >nul if not errorlevel 1 goto notneeded reg add "%svcpath%" /v JVMOptions /d "%svcval% %killflag%" /f net stop wsbroker /y && net start wsbroker echo Completed. goto :EOF :notneeded echo Not required. goto :EOF
I will proceed with the script.
I create a fix-log4j.bat file in the c: \ temp folder of my connection server and copy the script text to it.
![](https://vmvirtual.blog/wp-content/uploads/2021/12/image-3.png)
I launch the command from a PowerShell with administrator rights:
![](https://vmvirtual.blog/wp-content/uploads/2021/12/image-5.png)
I reboot the server
I verify that the workaround is applied by relaunching the bat file.
![](https://vmvirtual.blog/wp-content/uploads/2021/12/image-7.png)
Obviously, I have to do this on all the Horizon Connection Servers present
in the Horizon infrastructure