VMware announced a critical security advisory. I thought I’d put the necessary information on one page.

VMware has released new a critical security advisory, VMSA-2021-0028. This advisory is for multiple VMware products that use the popular open source log4j Java logging component, which was discovered to have a critical vulnerability in it (CVE-2021-44228)

This needs your immediate attention, not just at the VMware product level, but also for all other software in your environment. The log4j component is used by many vendors and software packages.

Click here for more information on the: VMSA-2021-0028: Questions & Answers.

Problem Description

A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted VMware products. 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2021-44228 to this issue.

Known Attack Vectors

A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.


Fixes for CVE-2021-44228 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’. Link to article and the Response Matrix: VMSA-2021-0028.1

The following VMware products are affected:

  • VMware Horizon
  • VMware vCenter Server
  • VMware HCX
  • VMware NSX-T Data Center
  • VMware Unified Access Gateway
  • VMware WorkspaceOne Access
  • VMware Identity Manager 
  • VMware vRealize Operations
  • VMware vRealize Operations Cloud Proxy
  • VMware vRealize Log Insight
  • VMware vRealize Automation
  • VMware vRealize Lifecycle Manager
  • VMware Telco Cloud Automation
  • VMware Site Recovery Manager, vSphere Replication
  • VMware Carbon Black Cloud Workload Appliance
  • VMware Carbon Black EDR Server
  • VMware Tanzu GemFire
  • VMware Tanzu Greenplum
  • VMware Tanzu Operations Manager
  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Kubernetes Grid Integrated Edition
  • VMware Tanzu Observability by Wavefront Nozzle
  • Healthwatch for Tanzu Application Service
  • Spring Cloud Services for VMware Tanzu
  • Spring Cloud Gateway for VMware Tanzu
  • Spring Cloud Gateway for Kubernetes
  • API Portal for VMware Tanzu
  • Single Sign-On for VMware Tanzu Application Service
  • App Metrics
  • VMware vCenter Cloud Gateway
  • VMware Tanzu SQL with MySQL for VMs
  • VMware vRealize Orchestrator
  • VMware Cloud Foundation
  • VMware Workspace ONE Access Connector
  • VMware Horizon DaaS
  • VMware Horizon Cloud Connector
  • VMware NSX Data Center for vSphere
  • VMware AppDefense Appliance
  • (Additional products will be added)