VMware Cloud Community
mstein22
Contributor
Contributor
‎12-12-2021 01:47 AM

CVE-2021-44228 -- Apache Log4j - VMware Horizon Security Server 7.0 (windows)

There is nothing mentioned about the above product, does this product also need a workaround for the vulnerabilty ?

0 Kudos
11 Replies
nachogonzalez
Commander
Commander
‎12-12-2021 03:27 AM

Hey, hope you are doing well.
Wasn't Horizon Security Server replaced with Unified Access Gateway appliance?

Blog Nachogonzalez.com.ar Twitter @nachogon_
0 Kudos
mstein22
Contributor
Contributor
‎12-12-2021 04:24 AM

I'm fine thanks, you are correct but we are middle in the process of migration. And in version 7.0 there is a specific security role.

0 Kudos
SMcClure1
VMware Employee
VMware Employee
‎12-12-2021 05:23 AM

Hi,  please go here  https://www.vmware.com/security/advisories/VMSA-2021-0028.html for the latest information on this issue 

eucninja3
Contributor
Contributor
‎12-13-2021 07:41 AM

Advisory doesn't specify if Security Servers will need the same patches as the Connection Servers. Anyone know of any additional info regarding the Security Servers?

0 Kudos
mstein22
Contributor
Contributor
‎12-13-2021 07:45 AM

If you look in the registry as the workaround you see only the tunnel key adjust this one accordingly

  1. Edit this registry value: HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TunnelService\Params\JVMOptions
  2. Append a single space character followed by this text: -Dlog4j2.formatMsgNoLookups=true
  3. Exit the registry editor and restart the Connection Server service or reboot the machine

 

0 Kudos
SMcClure1
VMware Employee
VMware Employee
‎12-13-2021 09:11 AM

Content is being update frequently  

For Tanzu you can find updated KBs and Answers here

For VMware Core you can find updates KBs and Answers here

0 Kudos
S-Z
Contributor
Contributor
‎12-13-2021 11:46 AM

I reviewed the workaround information which guided me to KB87073 for the connection server.  I stopped the connection service and performed the three registry changes.
HKLM\Software\VMware, Inc.\VMware\VDM\plugins\wsnm\MessageBusService\Params\JVMOptions

HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params\JVMOptions
HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TunnelService\Params\JVMOptions

Each with appending a single space character followed by this text: -Dlog4j2.formatMsgNoLookups=true

After doing so with a restart of the service the web portal no longer was accessible along with the admin login.  After a restart the same experience.  I backed out the three changes and the portal and admin changes became available again a short time after the restart.

Analysis:

  • Checked the Connection Server in use is 7.10.2
  • The registry is applied with a space but we still see the issue after restart.
  • Checked the KB 87073 again and see that the workaround is for below Horizon version 

Horizon 8 versions 2111, 2106, 2103, 2012, 2006
​​​​​​​Horizon 7 versions 7.13.1, 7.13.0, 7.12.0, 7.10.3

So we have to upgrade to 7.10.3 and then apply the workaround fix with registry

0 Kudos
IRIX201110141
Champion
Champion
‎12-13-2021 01:18 PM

The Unified Access Gateway will not help you in first place because it will forward all requests to the internal veeam connection server and this one will execute and download the payloads.

With the help if vRI we found the queries and have encoded the payload. We have luck because the code only works on a linux and not windows server because they call bash and sh as the interpreter. We have curl and wget on windows on a regular bases 😞

We where scanned first on 12/11  in the morning hours and patched on 12/12 in the evening. A couple of tries are recorded in that period.

Regards,
Joerg

 

 

 

0 Kudos
SMcClure1
VMware Employee
VMware Employee
‎12-13-2021 01:58 PM

This is where you can find the latest updates 

VMware Security Solutions https://www.vmware.com/security/advisories/VMSA-2021-0028.html

0 Kudos
IRIX201110141
Champion
Champion
‎12-13-2021 02:06 PM

Sorry to late. I havent seen the UAG listet yesterday... and we are scanned and most likely infected earlier.  The UAG contains wget and curl.

The Listing isnt exactly right and showing "21.x, 20.x, 3.x" for the UAG. The workaround is clearly only for 2009 and up. Its not for 3.5.x and there is a big warning.

Regards,
Joerg

0 Kudos
dirkuijt
Contributor
Contributor
‎12-14-2021 01:29 AM

edit: managed to recover with the proper settings, Horizon runs again. 

changing the JvmOptions regkeys messed up our Connection server and now nobody can log in!

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\plugins\wsnm\MessageBusService\Params\JvmOptions
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params\JvmOptions
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\plugins\wsnm\TunnelService\Params\JvmOptions

thanks!

0 Kudos