We continue to look at how to mitigate the log4j vulnerability, in this post we look at horizon connection servers in detail.
As indicated by the VMware KB
only the connection servers where the HTML Access Portal is active are vulnerable. But all versions are subject to vulnerability.
I recommend applying the workaround even if the HTML Access Portal is not active.
Again as indicated in the previously cited KB we have two possibilities:
- Change the following registry key
1. Edit this registry value:
HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params\JVMOptions
2. Append a single space character followed by this text: -Dlog4j2.formatMsgNoLookups=true
3. Exit the registry editor and restart the Connection Server service or reboot the machine
- Run the following script as administrator.
@echo off setlocal goto start __________________________________________________ CVE-2021-44228 - Prevent log4j parameter expansion Horizon Connection Server 7.x, 8.x VMware, Inc. 2021 __________________________________________________ :start set sigpath=HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService for /f "delims=" %%g in ('reg.exe query "%sigpath%" /v Filename') do set sigval=%%g if "%sigval%"=="" goto notneeded set killflag=-Dlog4j2.formatMsgNoLookups=true set svcpath=HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params for /f "tokens=2*" %%v in ('reg.exe query "%svcpath%" /v JVMOptions') do set svcval=%%w echo %svcval%|find " %killflag%" >nul if not errorlevel 1 goto notneeded reg add "%svcpath%" /v JVMOptions /d "%svcval% %killflag%" /f net stop wsbroker /y && net start wsbroker echo Completed. goto :EOF :notneeded echo Not required. goto :EOF
I will proceed with the script.
I create a fix-log4j.bat file in the c: \ temp folder of my connection server and copy the script text to it.
I launch the command from a PowerShell with administrator rights:
I reboot the server
I verify that the workaround is applied by relaunching the bat file.
Obviously, I have to do this on all the Horizon Connection Servers present
in the Horizon infrastructure