VMware, CVE-2021-44228 and log4j (version 2)

Since the end of last week, a new critical vulnerability has spread, present in many programs (Many VMware applications use this Java Logging including vCenter, Horizon, etc.)

“an exploit in the popular Java logging library log4j (version 2) was discovered that results in Remote Code Execution (RCE) by logging a certain string.” as indicated in this link:

https://www.lunasec.io/docs/blog/log4j-zero-day/

After a few hours, the CVE also released its bulletin (CVE-2021-44228).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228

On the day of 10/12/2021, VMware released its security advisor (VMSA-2021-0028) with the workarounds to limit the vulnerability pending the release of patched versions to fix it:

https://www.vmware.com/security/advisories/VMSA-2021-0028.html

So good application everyone!

By the way, for the uninitiated:

What is CVE? CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that’s been assigned a CVE ID number.
Security advisories issued by vendors and researchers almost always mention at least one CVE ID. CVEs help IT professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems more secure.

VMware, CVE-2021-44228 and log4j (version 2)