www.vmware.com Open in urlscan Pro
2a02:26f0:1700:599::2ef  Public Scan

URL: https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Submission: On February 24 via api from SG — Scanned from DE

Form analysis 2 forms found in the DOM

//www.vmware.com/search.html

<form action="//www.vmware.com/search.html" id="globalsearch" class="wrapperSearch">
  <input type="text" name="q" id="ub-search" class="d-none" placeholder="Search" aria-role="searchbox" role="searchbox">
  <a href="javascript:void(0);" aria-label="Search vmware.com" class="search-icon ml-lg-3" name="nav_utility : Search">

									<i class="fa fa-search text-indigo mr-2 mr-lg-0" aria-hidden="true"></i>
								 </a>
  <input type="hidden" name="num" value="20">
  <input type="hidden" name="filter" value="0">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="hidden" name="oe" value="UTF-8">
  <input type="hidden" name="entqr" value="0">
  <input type="hidden" name="start" value="0">
  <input type="hidden" name="sort" value="">
  <input type="hidden" name="tlen" value="200">
  <input type="hidden" name="numgm" value="3">
  <input type="hidden" name="cn" value="vmware">
  <input type="hidden" name="cid" value="">
  <input type="hidden" name="tid" value="">
  <input type="hidden" name="getfields" value="*">
  <input type="hidden" name="partialfields" value="">
  <input type="hidden" name="requiredfields" value="">
  <input type="hidden" name="place" value="top">
  <input type="hidden" name="client" value="VMware_Site_1">
  <input type="hidden" name="site" value="VMware_Site_1">
  <input type="hidden" name="cc" value="en">
  <input type="hidden" name="stype" value="main">
</form>

Name: securitysignupPOST https://lists.vmware.com/mailman/subscribe/security-announce

<form accept-charset="UNKNOWN" action="https://lists.vmware.com/mailman/subscribe/security-announce" enctype="application/x-www-form-urlencoded" id="securitysignup" method="post" name="securitysignup">
  <input id="securityEmail" name="email" size="25" type="text" placeholder="Enter your email address">
  <span class="btn-submit"><button name="email-button" type="submit" onclick="validateEmail();"><i class="fa fa-chevron-right" aria-hidden="true"></i></button></span>
  <span class="subscriptionerrorMsg"></span>
</form>

Text Content

Cookie Settings

Global Search

US About Us Store
Log In
Cloud Services Console Customer Connect Partner Connect
 * Apps & Cloud
 * Networking
 * Workspace
 * Security
 * By Industry
 * Partners
 * Resources

APPS & CLOUD

Unlock the value of any cloud and accelerate the delivery of modern applications
with VMware Cloud.

LEARN MORE

RELATED LINKS

Tanzu Developer Center VMware Tanzu Blog VMware Cloud Blog Customer Stories
Cloud Economics VMware Cloud Providers VMware Marketplace

SOLUTIONS

APPLICATIONS

Adopt Containers & Kubernetes Embrace DevSecOps Build Apps & Microservices
Modernize Existing Apps

MULTI-CLOUD

Migrate to the Cloud Scale Capacity On Demand Modernize the Data Center Operate
Multi-Cloud Deploy to a Sovereign Cloud Accelerate Disaster Recovery

TELCO CLOUD

5G Edge
SEE ALL SOLUTIONS

PRODUCTS

VMWARE CLOUD

VMware Cloud Universal

VMWARE TANZU

Tanzu Community Edition Tanzu Application Platform Tanzu Mission Control Tanzu
Labs

CLOUD INFRASTRUCTURE

VMware Cloud Foundation VMware Cloud on AWS VMware Cloud on AWS Outposts VMware
Cloud on Dell EMC Azure VMware Solution Google Cloud VMware Engine IBM Cloud for
VMware Solutions Oracle Cloud VMware Solution VMware Cloud Verified VMware Cloud
Disaster Recovery
SEE ALL PRODUCTS

HYPERCONVERGED INFRASTRUCTURE

vSphere vSAN NSX Data Center vCenter Server Dell EMC VxRail

CLOUD MANAGEMENT

vRealize Cloud Management vRealize Cloud Universal vRealize Suite & vCloud Suite
vRealize Automation vRealize Operations vRealize Log Insight CloudHealth by
VMware Suite

CLOUD SECURITY

CloudHealth Secure State VMware Carbon Black Workload Tanzu Service Mesh NSX
Cloud

NETWORKING

Accelerate modern app operations with network and security virtualization for
WAN, data center and cloud.

LEARN MORE

RELATED LINKS

NSX Hands-on Labs Customer Stories Networking Blog SD-WAN Blog Networking
Services VMware Marketplace

SOLUTIONS

Connect Containers & Kubernetes Secure the Modern Network Automate the Network
Enable Cloud Adoption Optimize and Secure the WAN Implement Zero Trust Enable
Application Delivery Embrace Remote Work
SEE ALL SOLUTIONS

PRODUCTS

DATA CENTER NETWORKING

NSX Advanced Load Balancer NSX Data Center NSX Cloud

MODERN APP NETWORKING

Antrea Tanzu Service Mesh

SECURE ACCESS SERVICE EDGE (SASE)

VMware SD-WAN VMware Secure Access VMware Cloud Web Security Edge Network
Intelligence
SEE ALL PRODUCTS

NETWORK SECURITY

NSX Distributed Firewall NSX Gateway Firewall NSX Network Detection & Response
NSX Distributed IDS/IPS NSX Sandbox

NETWORK AUTOMATION & OPERATIONS

Global Network Identities vRealize Network Insight HCX NSX Intelligence

WORKSPACE

Enable any employee to work anywhere, anytime with seamless employee
experiences.

LEARN MORE

RELATED LINKS

Workspace ONE HOL Customer Stories Digital Workspace Tech Zone End User
Computing Blog Anywhere Workspace Services End User Adoption VMware Marketplace

SOLUTIONS

Embrace Anywhere Workspace Ensure Experience and Productivity Adopt Zero Trust
Security Modern Endpoint Management Empower Frontline Workers Scale with VDI and
DaaS
SEE ALL SOLUTIONS

PRODUCTS

WORKSPACE PLATFORM

Workspace ONE

UNIFIED ENDPOINT MANAGEMENT

Workspace ONE UEM Workspace ONE Freestyle Orchestrator Workspace ONE
Intelligence Workspace ONE Assist

DESKTOP & APP VIRTUALIZATION

Horizon Horizon Cloud Workspace ONE Assist for Horizon
SEE ALL PRODUCTS

DIGITAL EMPLOYEE EXPERIENCE

Workspace ONE Intelligent Hub Workspace ONE Productivity Apps Workspace ONE
Access VMware SaaS App Management by BetterCloud

SECURE ACCESS SERVICE EDGE (SASE)

VMware SD-WAN VMware Secure Access

ENDPOINT SECURITY

VMware Carbon Black Endpoint

DESKTOP HYPERVISOR

Fusion for Mac Workstation Pro Workstation Player

SECURITY

Secure your infrastructure across any app, any cloud and any device.

LEARN MORE

RELATED LINKS

Carbon Black Resource Library Security Compliance Blog Customer Stories
Professional Services Partner Locator VMware Marketplace

SOLUTIONS

Implement Zero Trust Modernize the SOC Secure the Multi-Cloud Secure Cloud
Workloads
SEE ALL SOLUTIONS

PRODUCTS

VMWARE CARBON BLACK CLOUD

VMware Carbon Black Endpoint Workspace ONE Intelligence Endpoint Detection and
Response (EDR) App Control

MULTI-CLOUD SECURITY

VMware Carbon Black Workload CloudHealth Secure State VMware SASE Platform

MODERN APPLICATION SECURITY

VMware Carbon Black Container VMware Tanzu
SEE ALL PRODUCTS

NETWORK SECURITY

NSX Distributed Firewall NSX Gateway Firewall NSX Network Detection & Response
NSX Distributed IDS/IPS NSX Sandbox NSX Advanced Load Balancer NSX Cloud VMware
Secure Access VMware SD-WAN

SOLUTIONS BY INDUSTRY

Explore tailored solutions for your application framework, cloud infrastructure
and security architecture.

LEARN MORE

RELATED LINKS

Free Product Trials Customer Stories Industry Solutions Blog Professional
Services Find a VMware Cloud Provider

SOLUTIONS

Financial Services Healthcare Provider Healthcare Payer Retail Government –
Federal Government – State & Local Higher Education K-12 Education Life Sciences
Manufacturing Communications Service Providers
SEE ALL SOLUTIONS



ABOUT VMWARE PARTNERS

VMware’s global ecosystem of partners helps enterprises be cloud smart.

LEARN MORE

FOR CUSTOMERS

Work with a Partner Find a Partner Find a Cloud Provider VMware Marketplace

FOR PARTNERS

Work with VMware Become a Cloud Provider Get Cloud Verified Cloud Partner
Navigator
Technology Partner Hub Partner Connect Login Learning and Selling Resources
Partner Executive Edge

WHY VMWARE

Build, run, manage, connect and protect all of your apps, anywhere with a
digital foundation built on VMware.

LEARN MORE

TOOLS & TRAINING

VMware Customer Connect VMware Trust Center Learning & Certification Product
Downloads Product Trials Cloud Services Engagement Platform

SUPPORT

Support Offerings Skyline Product Support Centers Support Customer Welcome
Center

EVENTS

VMworld SpringOne All Events & Webcasts

SERVICES

Professional Services Customer Success

BLOGS & COMMUNITIES

Blogs News & Stories Communities


CUSTOMERS

Customer Stories

PARTNERS

Work with Partners Find a Partner Find a VMware Cloud Provider Become a Partner
Get Cloud Verified Learning & Selling Resources Partner Executive Edge

MARKETPLACE

VMware Marketplace

WHAT IS…

Application Modernization Cloud Migration Cloud Networking Hybrid Cloud
Hyperconvergence Kubernetes Multi-Cloud Network Security Network Virtualization
Private Cloud Unified Endpoint Management
SEE ALL TOPICS
   Ellipsis
   VMware Security Solutions  Advisories 
 * VMSA-2021-0028.13





Critical

Advisory ID: VMSA-2021-0028.13
CVSSv3 Range: 9.0-10.0
Issue Date: 2021-12-10
Updated On: 2022-02-14
CVE(s): CVE-2021-44228, CVE-2021-45046
Synopsis: VMware Response to Apache Log4j Remote Code Execution Vulnerabilities
(CVE-2021-44228, CVE-2021-45046)

RSS Feed

Download PDF

Download Text File

Share this page on social media



Sign up for Security Advisories



1. IMPACTED PRODUCTS

 * VMware Horizon
   
 * VMware vCenter Server
 * VMware HCX
   
 * VMware NSX-T Data Center
 * VMware Unified Access Gateway
 * VMware WorkspaceOne Access
 * VMware Identity Manager 
 * VMware vRealize Operations
 * VMware vRealize Operations Cloud (Cloud Proxy)
 * VMware vRealize Automation
   
 * VMware vRealize Lifecycle Manager
 * VMware Site Recovery Manager, vSphere Replication
   
 * VMware Carbon Black Cloud Workload Appliance
 * VMware Carbon Black EDR Server
 * VMware Tanzu GemFire
   
 * VMware Tanzu GemFire for VMs
 * VMware Tanzu Greenplum Platform Extension Framework
   
 * VMware Greenplum Text
   
 * VMware Tanzu Operations Manager
 * VMware Tanzu Application Service for VMs
 * VMware Tanzu Kubernetes Grid Integrated Edition
 * VMware Tanzu Observability by Wavefront Nozzle
 * Healthwatch for Tanzu Application Service
   
 * Spring Cloud Services for VMware Tanzu
 * Spring Cloud Gateway for VMware Tanzu
 * Spring Cloud Gateway for Kubernetes
 * API Portal for VMware Tanzu
 * Single Sign-On for VMware Tanzu Application Service
 * App Metrics
 * VMware vCenter Cloud Gateway
 * VMware vRealize Orchestrator
   
 * VMware Cloud Foundation
 * VMware Workspace ONE Access Connector
 * VMware Horizon DaaS
 * VMware Horizon Cloud Connector
   
 * VMware NSX Data Center for vSphere
 * VMware AppDefense Appliance
 * VMware Cloud Director Object Storage Extension
 * VMware Telco Cloud Operations
   
 * VMware vRealize Log Insight
 * VMware Tanzu Scheduler
 * VMware Smart Assurance NCM
 * VMware Smart Assurance SAM [Service Assurance Manager]
   
 * VMware Integrated OpenStack
 * VMware vRealize Business for Cloud
 * VMware vRealize Network Insight
   
 * VMware Cloud Provider Lifecycle Manager 
 * VMware SD-WAN VCO
 * VMware NSX Intelligence
 * VMware Horizon Agents Installer
 * VMware Tanzu Observability Proxy
 * VMware Smart Assurance M&R
 * VMware Harbor Container Registry for TKGI
 * VMware vRealize Operations Tenant App for VMware Cloud Director
 * VMware vRealize True Visibility Suite

2. INTRODUCTION

Critical vulnerabilities in Apache Log4j identified by CVE-2021-44228 and
CVE-2021-45046 have been publicly disclosed which impact VMware products.

3. PROBLEM DESCRIPTION

Description

Multiple products impacted by remote code execution vulnerabilities via Apache
Log4j (CVE-2021-44228, CVE-2021-45046).

Known Attack Vectors

A malicious actor with network access to an impacted VMware product may exploit
these issues to gain full control of the target system.


Resolution

Fixes for CVE-2021-44228 and CVE-2021-45046 are documented in the 'Fixed
Version' column of the 'Response Matrix' below.


Workarounds

Workarounds for CVE-2021-44228 and CVE-2021-45046 are documented in the
'Workarounds' column of the 'Response Matrix' below.


Additional Documentation

None.

Acknowledgements

None.


Notes

 * 2021/12/10: Exploitation attempts in the wild of CVE-2021-44228 have been
   confirmed by VMware.

 * 2021/12/11: A supplemental blog post & frequently asked questions list was
   created for additional clarification. Please see:
   https://via.vmw.com/vmsa-2021-0028-faq 

 * 2021/12/13: Unaffected VMware products can be referred to on the Knowledge
   Base article: https://kb.vmware.com/s/article/87068

 * 2021/12/14: The Apache Software Foundation notified the community that their
   initial guidance for CVE-2021-44228 workarounds were not sufficient in
   removing all possible attack vectors. In addition, a new vulnerability
   identified by CVE-2021-45046 was published. In response, VMware has aligned
   with the new guidance and will be updating associated documentation with
   workarounds and fixes to address both vulnerabilities completely.

 * 2021/12/17: The Apache Software Foundation updated the severity of
   CVE-2021-45046 to 9.0, in response we have aligned our advisory.

 * 2022/01/07: A pair of new vulnerabilities identified by CVE-2021-45105 and
   CVE-2021-44832 have been disclosed by the Apache Software Foundation that
   impact log4j releases prior to 2.17.1 in non-default configurations. VMware
   has investigated and has found no evidence that these vulnerabilities are
   exploitable in VMware products. Going forward new log4j vulnerabilities will
   continue to be evaluated to determine severity and applicability to VMware
   products, but will not be referenced in this advisory. VMware products will
   update open source components (including log4j) to the latest available
   versions in future releases.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version
Workarounds Additional Documentation
VMware Horizon
8.x, 7.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87073
KB87073
None
VMware vCenter Server
7.x
Virtual Appliance
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
7.0U3c
KB87081
None
VMware vCenter Server
6.7.x
Virtual Appliance
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
6.7 U3q
KB87081
None
VMware vCenter Server
6.7.x
Windows
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
6.7 U3q
KB87096
None
VMware vCenter Server
6.5.x
Virtual Appliance
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
6.5 U3s
KB87081
None
VMware vCenter Server
6.5.x
Windows
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
6.5 U3s
KB87096
None
VMware Cloud Foundation
4.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
4.4
KB87095
None
VMware Cloud Foundation
3.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
3.11
KB87095
None
VMware HCX
4.3
Any
CVE-2021-44228, CVE-2021-45046
N/A
N/A
Not Affected
N/A
N/A
VMware HCX
4.2.x, 4.0.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
4.2.4
KB87104
None
VMware HCX
4.1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
4.1.0.3
KB87104
None
VMware NSX-T Data Center
3.1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
3.1.3.5
KB87086
None
VMware NSX-T Data Center
3.0.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
3.0.3.1
KB87086
None
VMware NSX-T Data Center
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.5.3.4
KB87086
None
VMware Unified Access Gateway
21.x, 20.x, 3.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2111.1
KB87092
None
VMware Workspace ONE Access
21.x, 20.10.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87183
KB87090
None
VMware Identity Manager
3.3.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
3.3.6
KB87093
None
VMware Site Recovery Manager, vSphere Replication
8.5.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
8.5.0.2
KB87098
None
VMware Site Recovery Manager, vSphere Replication
8.4.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
8.4.0.4
KB87098
None
VMware Site Recovery Manager, vSphere Replication
8.3.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
8.3.1.5
KB87098
None
VMware vCenter Cloud Gateway
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87081
KB87081
None
VMware Workspace ONE Access Connector (VMware Identity Manager Connector)
21.08.0.1, 21.08, 20.10, 19.03.0.1
Windows
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87184
KB87091
None
VMware Horizon DaaS
9.1.x, 9.0.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87101
KB87101
None
VMware Horizon Cloud Connector
1.x, 2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.1.2
None
None
VMware NSX Data Center for vSphere
6.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
6.4.12
KB87099
None
VMware AppDefense Appliance
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
N/A
UeX 109180
None
VMware Cloud Director Object Storage Extension
2.1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.1.0.1
KB87102
None
VMware Cloud Director Object Storage Extension
2.0.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.0.0.3
KB87102
None
VMware Telco Cloud Operations
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.4.0.1
KB87143
None
VMware Smart Assurance NCM
10.1.6.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
10.1.6.1
KB87113
None
VMware Smart Assurance SAM [Service Assurance Manager]
10.1.5
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
10.1.5.5
KB87119
None
VMware Smart Assurance SAM [Service Assurance Manager]
10.1.0.x, 10.1.2
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
10.1.2.16
KB87119
None
VMware Integrated OpenStack
7.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
7.2
KB87118
None
VMware Cloud Provider Lifecycle Manager
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.2.0.1
KB87142
None
VMware SD-WAN VCO
4.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87158
KB87158
None
VMware NSX Intelligence
1.2.x, 1.1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.2.1.1
KB87150
None
VMware Horizon Agents Installer
21.x.x, 20.x.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87157
KB87157
None
VMware Smart Assurance M&R
6.8u5, 7.0u8, 7.2.0.1
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87161
KB87161
None

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version
Workarounds Additional Documentation
VMware Carbon Black Cloud Workload Appliance
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.1.2
UeX 190167
None
VMware Carbon Black EDR Server
7.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
7.6.1
UeX 109183
None

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version
Workarounds Additional Documentation
VMware vRealize Automation
8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
8.6.2
KB87120
None
VMware vRealize Automation
7.6
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB70911
KB87121
None
VMware vRealize Business for Cloud
7.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87539
KB87127
None
VMware vRealize Lifecycle Manager
8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
8.6.2
KB87097
None
VMware vRealize Log Insight
8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87519
KB87089
None
VMware vRealize Network Insight
6.x, 5.3
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
6.5.1
KB87135
None
VMware vRealize Operations
8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87076
KB87076
None
VMware vRealize Operations Cloud (Cloud Proxy)
Any
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
Q4FY22 Cloud Update
KB87080
None
VMware vRealize Operations Tenant App for VMware Cloud Director
2.5
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.5.1
KB87187
None
VMware vRealize Orchestrator
8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
8.6.2
KB87120
None
VMware vRealize Orchestrator
7.6
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB70629
KB87122
None
VMware vRealize True Visibility Suite
Any
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
KB87136
KB87136
None

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version
Workarounds Additional Documentation
App Metrics
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.1.2
None
None
API Portal for VMware Tanzu
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.0.8
None
None
Healthwatch for Tanzu Application Service
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.1.8
None
None
Healthwatch for Tanzu Application Service
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.8.7
None
None
Single Sign-On for VMware Tanzu Application Service
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.14.6
None
None
Spring Cloud Gateway for Kubernetes
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.0.7
None
None
Spring Cloud Gateway for VMware Tanzu
1.1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.1.4
None
None
Spring Cloud Gateway for VMware Tanzu
1.0.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.0.19
None
None
Spring Cloud Services for VMware Tanzu
3.x
Any
CVE-2021-44228, CVE-2021-45046
!0.0, 9.0
critical
3.1.27
None
None
Spring Cloud Services for VMware Tanzu
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.1.10
None
None
VMware Greenplum Text
3.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
3.8.1
Article Number 13256
None
VMware Harbor Container Registry for TKGI
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.4.1
Article Number 13263
None
VMware Tanzu Application Service for VMs
2.12.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.12.5
Article Number 13265
None
VMware Tanzu Application Service for VMs
2.11.x
Any
CVE-2021-44228, CVE-45046
10.0, 9.0
critical
2.11.13
Article Number 13265
None
VMware Tanzu Application Service for VMs
2.10.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.10.24
Article Number 13265
None
VMware Tanzu Application Service for VMs
2.9.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.9.30
Article Number 13265
None
VMware Tanzu Application Service for VMs
2.8.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.8.30
Article Number 13265
None
VMware Tanzu Application Service for VMs
2.7.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.7.44
Article Number 13265
None
VMware Tanzu GemFire
9.10.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
9.10.13
Article Number 13255
None
VMware Tanzu GemFire
9.9.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
9.9.7
Article Number 13255
None
VMware Tanzu GemFire for VMs
1.14.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.14.2
Article Number 13262
None
VMware Tanzu GemFire for VMs
1.13.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.13.5
Article Number 13262
None
VMware Tanzu GemFire for VMs
1.12.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.12.4
Article Number 13262
None
VMware Tanzu Greenplum Platform Extension Framework
6.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
6.2.1
Article Number 13256
None
VMware Tanzu Kubernetes Grid Integrated Edition
1.13.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.13.1
Article Number 13263
None
VMware Tanzu Kubernetes Grid Integrated Edition
1.10.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.10.8
Article Number 13263
None
VMware Tanzu Observability by Wavefront Nozzle
3.x, 2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
3.0.4
None
None
VMware Tanzu Observability Proxy
10.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
10.12
Article Number 13272
None
VMware Tanzu Operations Manager
2.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
2.10.25
Article Number 13264
None
VMware Tanzu Scheduler
1.x
Any
CVE-2021-44228, CVE-2021-45046
10.0, 9.0
critical
1.6.1
Article Number 13280
None

4. REFERENCES

FIRST CVSSv3 Calculator:


CVE-2021-44228: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
(10.0)

CVE-2021-45046: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
(9.0)


Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

5. CHANGE LOG

2021-12-10: VMSA-2021-0028
Initial security advisory.

 

2021-12-11: VMSA-2021-0028.1

Updated advisory with workaround information for multiple products including
vCenter Server Appliance, vRealize Operations, Horizon, vRealize Log Insight,
Unified Access Gateway.

 

2021-12-13: VMSA-2021-0028.2

Revised advisory with updates to multiple products.

 

2021-12-15: VMSA-2021-0028.3

Revised advisory with updates to multiple products. In addition, added
CVE-2021-45046 information and noted alignment with new Apache Software
Foundation guidance. 

 

2021-12-17: VMSA-2021-0028.4

Revised advisory with updates to multiple products.

 

2021-12-20: VMSA-2021-0028.5

Added a note on current CVE-2021-45105 investigations.

 

2021-12-21: VMSA-2021-0028.6

Revised advisory with updates to multiple products, including vRealize
Operations and vRealize Log Insight.

 

2021-12-22: VMSA-2021-0028.7

Revised advisory with updates to multiple products, including HCX.

 

2021-12-24: VMSA-2021-0028.8

Revised advisory with updates to multiple products, including NSX-T, TKGI and
Greenplum.

 

2022-01-19: VMSA-2021-0028.9

Revised advisory with updates to multiple products, including vRealize
Automation, vRealize Orchestrator, NSX Intelligence, and vRealize Lifecycle
Manager.

 

2022-01-27: VMSA-2021-0028.10

Revised advisory with updates to multiple products, including vCenter Server.

 

2022-02-08: VMSA-2021-0028.11

Revised advisory with updates to vCenter Server 6.7.x & 6.5.x.

 

2022-02-10: VMSA-2021-0028.12

Revised advisory with updates to VMware Cloud Foundation 4.x.

 

2022-02-14: VMSA-2021-0028.13

Revised advisory with updates to VMware Cloud Foundation 3.x.

 

6. CONTACT

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC


 

Copyright 2021 VMware Inc. All rights reserved.
 





Company

About Us Executive Leadership News & Stories Investor Relations Customer Stories
Diversity, Equity & Inclusion Environment, Social & Governance
Careers Blogs Communities Acquisitions Office Locations VMware Cloud Trust
Center COVID-19 Resources

Support

VMware Customer Connect Support Policies Product Documentation Compatibility
Guide End User Terms & Conditions California Transparency Act Statement
Twitter YouTube Facebook LinkedIn Contact Sales

--------------------------------------------------------------------------------

© 2022 VMware, Inc. Terms of Use Your California Privacy Rights Privacy
Accessibility Site Map Trademarks Glossary Help



COOKIE PREFERENCE CENTER




GENERAL INFORMATION ON COOKIES

GENERAL INFORMATION ON COOKIES

When you visit our website, we use cookies to ensure that we give you the best
experience. This information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies by clicking on the
different category headings to find out more and change your settings. However,
blocking some types of cookies may impact your experience on the site and the
services we are able to offer. Further information can be found in our
Cookie Policy.


 * STRICTLY NECESSARY
   
   STRICTLY NECESSARY
   
   Always Active
   Strictly Necessary
   
   Strictly necessary cookies are always enabled since they are essential for
   our website to function. They enable core functionality such as security,
   network management, and website accessibility. You can set your browser to
   block or alert you about these cookies, but this may affect how the website
   functions. For more information please visit www.aboutcookies.org or
   www.allaboutcookies.org.
   
   Cookie Details‎


 * PERFORMANCE
   
   PERFORMANCE
   
   Performance
   
   Performance cookies are used to analyze the user experience to improve our
   website by collecting and reporting information on how you use it. They allow
   us to know which pages are the most and least popular, see how visitors move
   around the site, optimize our website and make it easier to navigate.
   
   Cookie Details‎


 * FUNCTIONAL
   
   FUNCTIONAL
   
   Functional
   
   Functional cookies help us keep track of your past browsing choices so we can
   improve usability and customize your experience. These cookies enable the
   website to remember your preferred settings, language preferences, location
   and other customizable elements such as font or text size. If you do not
   allow these cookies, then some or all of these services may not function
   properly.
   
   Cookie Details‎


 * ADVERTISING
   
   ADVERTISING
   
   Advertising
   
   Advertising cookies are used to send you relevant advertising and promotional
   information. They may be set through our site by third parties to build a
   profile of your interests and show you relevant advertisements on other
   sites. These cookies do not directly store personal information, but their
   function is based on uniquely identifying your browser and internet device.
   
   Cookie Details‎


 * SOCIAL MEDIA
   
   SOCIAL MEDIA
   
   Social Media
   
   Social media cookies are intended to facilitate the sharing of content and to
   improve the user experience. These cookies can sometimes track your
   activities. We do not control social media cookies and they do not allow us
   to gain access to your social media accounts. Please refer to the relevant
   social media platform’s privacy policies for more information.
   
   Cookie Details‎

Back Button


ADVERTISING COOKIES

Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts

Select All

 * REPLACE-WITH-DYANMIC-HOST-ID
   
   
   
   View Third Party Cookies
   
    * Name
      cookie name



Clear Filters

Information storage and access
Apply
Confirm My Choices Allow All


We use cookies to provide you with the best experience on our website, to
improve usability and performance and thereby improve what we offer to you. Our
website may also use third-party cookies to display advertising that is more
relevant to you. By clicking on the “Accept All” button you agree to the storing
of cookies on your device. If you want to know more about how we use cookies,
please see our Cookie Policy.

Cookie Settings Accept All Cookies