VMware Horizon Community
Perttu
Enthusiast
Enthusiast

Does Log4j vulnerability CVE-2021-44228 affect any Horizon components

Hi,

Are any of the components included in any Horizon products vulnerable to CVE-2021-44228? Horizon comprises from many Java programs, so is there any of them using Log4j as their logging framework and if it is so, are the used versions vulnerable to this CVE?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Reply
0 Kudos
23 Replies
mvinod
VMware Employee
VMware Employee

Could you please clarify which specific files/components were you referring to w.r.t App Volumes?

Reply
0 Kudos
Melandrach
Contributor
Contributor

FYI: VMware released patches for both Connection server and View agent yesterday evening to address the vulnerability.

Looks like you will need to be on the latest track.

7.13.1 or 8.4.0 ( Horizon 7 and Horizon 8 )

Reply
0 Kudos
Anobix67
Enthusiast
Enthusiast

Is it some sort of beta track? I don't see anything in release notes newer than from 5/25/21 and not in the downloads page that I could find. 

Edit: https://docs.vmware.com/en/VMware-Horizon-7/7.13.1/rn/horizon-7131-view-release-notes.html

Still shows regular release date but updated as of 12/16 with a different build number still on 7.13.1

Reply
0 Kudos
Melandrach
Contributor
Contributor

So I haven't updated connection server yet but I updated the agent and confirmed it contains the 2.16 (patched) version of Log4j. So what I think they did is just took the agent and connection server for 7.13.1 and 8.4.0 and updated that component in the existing package and then iterated the build number to reflect. As far as I can tell that is the only difference in the release vs the old 7.13.1 and 8.4.0.

Reply
0 Kudos