VMware has released the version of Horizon where the LOG4J vulnerability is fixed. (CVE-2021-44228 and CVE-2021-45046) Build 19067873 is not vulnerable (released 12/16/202), while previous build 19052438 and 18964782 (released 12/14/2021 and 11/30/2021) are vulnerable
We continue to look at how to mitigate the log4j vulnerability, in this post we look at horizon connection servers in detail. As indicated by the VMware KB
only the connection servers where the HTML Access Portal is active are vulnerable. But all versions are subject to vulnerability. I recommend applying the workaround even if the HTML Access Portal is not active. Again as indicated in the previously cited KB we have two possibilities:
Change the following registry key
1. Edit this registry value: HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params\JVMOptions 2. Append a single space character followed by this text: -Dlog4j2.formatMsgNoLookups=true 3. Exit the registry editor and restart the Connection Server service or reboot the machine
Run the following script as administrator.
CVE-2021-44228 - Prevent log4j parameter expansion
Horizon Connection Server 7.x, 8.x
VMware, Inc. 2021
set sigpath=HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService
for /f "delims=" %%g in ('reg.exe query "%sigpath%" /v Filename') do set sigval=%%g
if "%sigval%"=="" goto notneeded
set svcpath=HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params
for /f "tokens=2*" %%v in ('reg.exe query "%svcpath%" /v JVMOptions') do set svcval=%%w
echo %svcval%|find " %killflag%" >nul
if not errorlevel 1 goto notneeded
reg add "%svcpath%" /v JVMOptions /d "%svcval% %killflag%" /f
net stop wsbroker /y && net start wsbroker
echo Not required.
I will proceed with the script. I create a fix-log4j.bat file in the c: \ temp folder of my connection server and copy the script text to it.
I launch the command from a PowerShell with administrator rights:
I reboot the server
I verify that the workaround is applied by relaunching the bat file.
Obviously, I have to do this on all the Horizon Connection Servers present in the Horizon infrastructure
What is CVE? CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that’s been assigned a CVE ID number. Security advisories issued by vendors and researchers almost always mention at least one CVE ID. CVEs help IT professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems more secure.