Unless you’ve been living under a rock the past couple days, you’ve likely been seeing many articles regarding CVE-2021-44228 which describes a remote code execution vulnerability within Apache Log4j. Apache Log4j is a Java-based logging utility used by many applications across the world, and as such, this vulnerability is a huge issue due to how easy it is to exploit as well as the sheer number of vulnerable devices.
Like most companies with Java based applications, many of VMware’s products utilize Log4j to provide application logging capabilities. While the complete list of affected VMware products is not currently finalized, VMware has published security advisory VMSA-2021-0028 - VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228). This advisory lists all the of the VMware products currently under evaluation as well as possible work arounds to mitigate the issue until software updates are released. The list of products under evaluation does not currently include all VMware products and a states that the event is ongoing. I would highly recommend that you check this security advisory regularly for updates.
For additional information related to workarounds for the most common VMware products, see the following KBs:
Get Notified of Future Posts