VMware Important Workspace One VMware Access Digital Workplace

Workaround to Apache Log4j Vulnerability

Dec 14, 2021 2 min read
Workaround to Apache Log4j Vulnerability

Synopsys

On December 10, 2021, a 0-day exploit was discovered in the Java logging library log4j (Version2).

This 0-day has been published by The Common Vulnerabilities and Exposures CVE) project as CVE-2021-44228 and obtain the maximum CVSS risk score of 10:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Let’s take a look at the situation about VMware Workspace ONE portfolio products:

Note : We are here describing VMware's response for the Workspace ONE portfolio products only. However, many other VMware products can be also impacted.

What is Log4j 0-day exploit ?

Broadly speaking, the Log4j 0-day exploit allows an attacker to send a specific message that the targeted server will log. This message can then activate the exploit, the previously mentionned server, via the JNDI API (connection to directories), contacts another malicious server where it retrieves the malicious code.

VMware Response

On December 10 2021, in response to the Log4Shell exploit, VMware has published a security advisory document for all of its impacted products.

This document is available at the following URL :

https://www.vmware.com/security/advisories/VMSA-2021-0028.html

Please find below the list of impacted Workspace ONE portfolio products:

  • VMware Unified Access Gateway version 21.x, 20.x, 3.x
  • VMware Workspace ONE Access version 21.x, 20.10.x
  • VMware Identity Manager version 3.3.x
  • VMware Workspace ONE Access Connector / VMware Identity Manager
    Connector version 21.x, 20.10.x, 19.03.0.1

Note : Workspace ONE UEM is not impacted by this exploit as this product is based on IIS and not Java Apache.

What workarounds can be applied?

To the present day, no patch is available for all 4 above products but only workarounds.

Please find dedicated Knowledge Base to each products describing workaround instructions:

Note : It is recommended to upgrade older versions to newer supported versions first before applying the workaround. This procedure may not work for older unsupported versions.

Note : The vulnerability applies to all versions of Unified Access Gateway appliance when configured for RADIUS or RSA SecurID authentication when used with the Horizon edge service or Web Reverse Proxy edge service.

Those workarounds are therefore temporary until a patch is made available by VMware.

If you have any doubt, interrogation or questions concerning this subject feel free to contact us as soons as possible : info@mobinergy.com

Stay tuned for more important updates !

Published by
Pierre Samenayre
Pierre Samenayre
Maxime Crouzet
Maxime Crouzet
Great! Next, complete checkout for full access to Mobinergy Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Mobinergy Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.