Hi,
Are any of the components included in any Horizon products vulnerable to CVE-2021-44228? Horizon comprises from many Java programs, so is there any of them using Log4j as their logging framework and if it is so, are the used versions vulnerable to this CVE?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Could you please clarify which specific files/components were you referring to w.r.t App Volumes?
FYI: VMware released patches for both Connection server and View agent yesterday evening to address the vulnerability.
Looks like you will need to be on the latest track.
7.13.1 or 8.4.0 ( Horizon 7 and Horizon 8 )
Is it some sort of beta track? I don't see anything in release notes newer than from 5/25/21 and not in the downloads page that I could find.
Edit: https://docs.vmware.com/en/VMware-Horizon-7/7.13.1/rn/horizon-7131-view-release-notes.html
Still shows regular release date but updated as of 12/16 with a different build number still on 7.13.1
So I haven't updated connection server yet but I updated the agent and confirmed it contains the 2.16 (patched) version of Log4j. So what I think they did is just took the agent and connection server for 7.13.1 and 8.4.0 and updated that component in the existing package and then iterated the build number to reflect. As far as I can tell that is the only difference in the release vs the old 7.13.1 and 8.4.0.
