Is my upgraded HCX ver 4.2.3 vulnerable to latest ...

esmnoc · ‎12-15-2021

Folks,

I've followed the guidance regarding VMware HCX in article https://kb.vmware.com/s/article/87104 for the recent Log4J exploit documented in CVE-2021-44228 and I'm now running HCX 4.2.3. However, the new Log4J exploit documented in CVE-2021-45046 refers to the need for "removing support for message lookup patterns" and "disabling JNDI functionality by default". Are these fixes included in the HCX upgrade ver 4.2.3 which I applied previously?

There is no new guidance from VMware regarding the latest exploit and I can't find any reference to exactly what changes were made in HCX ver 4.2.3 so I have no idea if another HCX version is in the works or if the current version protects against the new exploit.

Any insight into this question would be helpful.

Thanks.

virtualdive · ‎01-31-2022

You should upgrade to 4.3 as this release is not impacted by the "This HCX release is not impacted by CVE-2021-44228 or CVE-2021-45046.". This is documented in the Release notes here.

https://docs.vmware.com/en/VMware-HCX/4.3/rn/VMware-430-Release-Notes.html#securityissues

Regards,

'V'
thevshish.blogspot.in
vExpert-2014-2021

All

Is my upgraded HCX ver 4.2.3 vulnerable to latest Log4J exploit (CVE-2021-45046)?

HCX