<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components in Horizon Desktops and Apps</title>
    <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882741#M95621</link>
    <description>&lt;P&gt;I'm not sure if that KB covers all.&lt;/P&gt;&lt;P&gt;Attackers use ip:port to execute attack, not standard LDAP ports as there is answer in some of KB. Also they use no_dns_lookups also.&lt;/P&gt;&lt;P&gt;more on tag: CVE-2021-44228&lt;/P&gt;</description>
    <pubDate>Sat, 11 Dec 2021 10:36:20 GMT</pubDate>
    <dc:creator>chris_x5</dc:creator>
    <dc:date>2021-12-11T10:36:20Z</dc:date>
    <item>
      <title>Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882576#M95602</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;Are any of the components included in any Horizon products vulnerable to&amp;nbsp;CVE-2021-44228? Horizon comprises from many Java programs, so is there any of them using Log4j as their logging framework and if it is so, are the used versions vulnerable to this CVE?&lt;/P&gt;&lt;P&gt;&lt;A href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228" target="_blank"&gt;https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 10 Dec 2021 11:33:13 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882576#M95602</guid>
      <dc:creator>Perttu</dc:creator>
      <dc:date>2021-12-10T11:33:13Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882586#M95604</link>
      <description>&lt;P&gt;pretty sure that view horizon server 8.2 is affected, newer versions probably also...&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;C:\Program Files\VMware\VMware View\Server\broker\webapps\portal\WEB-INF\lib\log4j-core-2.13.3.jar&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;C:\Program Files\VMware\VMware View\Server\lib\log4j-core-2.13.3.jar&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;C:\Program Files\VMware\VMware View\Server\messagebus\kernel\sys$authentication\log4j-core-2.13.3.jar&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 10 Dec 2021 12:28:29 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882586#M95604</guid>
      <dc:creator>ghaid</dc:creator>
      <dc:date>2021-12-10T12:28:29Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882695#M95618</link>
      <description>&lt;P&gt;&lt;A href="https://kb.vmware.com/s/article/87068?lang=en_US" target="_blank"&gt;VMware Response to CVE-2021-44228: Apache Log4j Remote Code Execution (87068)&lt;/A&gt;&lt;/P&gt;&lt;P&gt;Am told this KB is to be updated soon&lt;/P&gt;</description>
      <pubDate>Fri, 10 Dec 2021 20:42:30 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882695#M95618</guid>
      <dc:creator>BenTrojahn</dc:creator>
      <dc:date>2021-12-10T20:42:30Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882741#M95621</link>
      <description>&lt;P&gt;I'm not sure if that KB covers all.&lt;/P&gt;&lt;P&gt;Attackers use ip:port to execute attack, not standard LDAP ports as there is answer in some of KB. Also they use no_dns_lookups also.&lt;/P&gt;&lt;P&gt;more on tag: CVE-2021-44228&lt;/P&gt;</description>
      <pubDate>Sat, 11 Dec 2021 10:36:20 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882741#M95621</guid>
      <dc:creator>chris_x5</dc:creator>
      <dc:date>2021-12-11T10:36:20Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882771#M95622</link>
      <description>&lt;P&gt;Follow this security advisory for affected products&amp;nbsp;&lt;A href="https://www.vmware.com/security/advisories/VMSA-2021-0028.html" target="_blank"&gt;https://www.vmware.com/security/advisories/VMSA-2021-0028.html&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Sat, 11 Dec 2021 16:38:37 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882771#M95622</guid>
      <dc:creator>dee0606</dc:creator>
      <dc:date>2021-12-11T16:38:37Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882790#M95623</link>
      <description>&lt;P&gt;Thanks.. I was following that.. &amp;nbsp;I’m a bit confused though.&lt;/P&gt;&lt;P&gt;So VMware mentions UAG’s are effected, but does not talk about the security servers. &amp;nbsp; However the remediation talks about the connection servers and the agent.&amp;nbsp;&lt;/P&gt;&lt;P&gt;Feels like a disconnect. &amp;nbsp; Under a standard setup the Connection servers wouldn’t be exposed right?&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sat, 11 Dec 2021 19:38:24 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882790#M95623</guid>
      <dc:creator>bigjohn111</dc:creator>
      <dc:date>2021-12-11T19:38:24Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882803#M95625</link>
      <description>&lt;P&gt;I suppose you remediate Security Servers as you would remediate Connection Servers as per kb&amp;nbsp;87073. Both are Windows Servers.&lt;/P&gt;&lt;P&gt;Here's a script to aid you and others with the remediation.&lt;/P&gt;&lt;LI-CODE lang="csharp"&gt;&amp;lt;#
.SYNOPSIS
    CVE-2021-44228 – VMSA-2021-0028 - https://kb.vmware.com/s/article/87073 mitigation script
    
.NOTES
    Author: Perttu 
    Contact: https://communities.vmware.com/t5/user/viewprofilepage/user-id/2180740
#&amp;gt;

$registryKeys = 'HKLM:\Software\VMware, Inc.\VMware VDM\plugins\wsnm\MessageBusService\Params',
                'HKLM:\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params',
                'HKLM:\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TunnelService\Params'

$property = 'JVMOptions'
$fix = ' -Dlog4j2.formatMsgNoLookups=true'

foreach ( $regKey in $registryKeys ) 
{
    try 
    {
        $propertyValue = Get-ItemPropertyValue -Path $regKey -Name $property
    } catch {
        # Windows 2012 R2 with built-in PS version 4.x does not include Get-ItemPropertyValue cmdlet
        $propertyObj = Get-ItemProperty -Path $regKey -Name $property
        $propertyValue = $propertyObj.$property
    }     
          
    if ( $propertyValue -notmatch $fix ) 
    {
        Write-Host "Fixing $regKey by appending$fix to its $property property value."
        $newValue = $propertyValue + $fix
        Set-ItemProperty -Path $regKey -Name $property -Value $newValue
    }
    else 
    {
        Write-Host "$regKey has the fix already"
    }
}&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sat, 11 Dec 2021 23:10:32 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882803#M95625</guid>
      <dc:creator>Perttu</dc:creator>
      <dc:date>2021-12-11T23:10:32Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882814#M95626</link>
      <description>&lt;P&gt;We utilized GPO to inject the instaclone agent machine registry key to the Horizon agent service. It applies Local Machine policy before the Horizon agent is started with the added&amp;nbsp;Dlog4j2.formatMsgNoLookups key.&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Edit this registry value: HKLM\Software\VMware, Inc.\VMware VDM\Node Manager\JVM\JVMOptions&lt;/LI&gt;&lt;LI&gt;Append a single space character followed by this text: -Dlog4j2.formatMsgNoLookups=true&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;We verified by having our security team scan the Horizon desktop and found no apache log vulnerability to assure GPO applied the patch and passed validation. Hopefully, the updated agents will be released soon.&amp;nbsp;&lt;/P&gt;&lt;P&gt;If GPO is used, just make sure it is in the VDI Active Directory OU and reboot the instant clones. (Tested for instant clones but linked clones you will need to recompose )&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RobBenedit_0-1639269811551.png" style="width: 400px;"&gt;&lt;img src="https://communities.vmware.com/t5/image/serverpage/image-id/92533i5A91E720DC3842C9/image-size/medium/is-moderation-mode/true?v=v2&amp;amp;px=400" role="button" title="RobBenedit_0-1639269811551.png" alt="RobBenedit_0-1639269811551.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sun, 12 Dec 2021 00:48:10 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882814#M95626</guid>
      <dc:creator>RobBenedit</dc:creator>
      <dc:date>2021-12-12T00:48:10Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882817#M95627</link>
      <description>&lt;P&gt;Thanks for posting.&lt;/P&gt;</description>
      <pubDate>Sun, 12 Dec 2021 03:25:01 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882817#M95627</guid>
      <dc:creator>elproducto</dc:creator>
      <dc:date>2021-12-12T03:25:01Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882818#M95628</link>
      <description>&lt;P&gt;The Connection servers need 3 reg keys modified with a reboot or Horizon broker service restart. The external UAGs have a patch released.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sun, 12 Dec 2021 03:11:20 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882818#M95628</guid>
      <dc:creator>RobBenedit</dc:creator>
      <dc:date>2021-12-12T03:11:20Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882920#M95633</link>
      <description>&lt;P&gt;Does anyone know the status of App Volumes? I'm assuming that VMWare is indicating it's not impacted because it's not listed as a Horizon fix, but I did notice log4j components on the App Volumes Manager. Can anyone confirm?&lt;/P&gt;</description>
      <pubDate>Mon, 13 Dec 2021 00:02:41 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882920#M95633</guid>
      <dc:creator>coreyberla</dc:creator>
      <dc:date>2021-12-13T00:02:41Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882928#M95634</link>
      <description>&lt;P&gt;I'm not absolute sure, but I think App Volumes is mostly written with Ruby. Hence if no Java, then no Log4j. However there might be some additional tools written in Java present on installations, but I would not be worried about those whenever they are not running services open to internet allowing user input.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 13 Dec 2021 03:27:47 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882928#M95634</guid>
      <dc:creator>Perttu</dc:creator>
      <dc:date>2021-12-13T03:27:47Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882933#M95635</link>
      <description>&lt;P&gt;&lt;STRONG&gt;&lt;a href="https://communities.vmware.com/t5/user/viewprofilepage/user-id/1960760"&gt;@coreyberla&lt;/a&gt;&amp;nbsp;&lt;/STRONG&gt;Could you please clarify which specific log4j components are you referring to?&lt;/P&gt;</description>
      <pubDate>Mon, 13 Dec 2021 04:43:26 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2882933#M95635</guid>
      <dc:creator>acnag</dc:creator>
      <dc:date>2021-12-13T04:43:26Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883082#M95644</link>
      <description>&lt;P&gt;Advisory doesn't specify if Security Servers will need the same patches as the Connection Servers. Anyone know of any additional info regarding the Security Servers?&lt;/P&gt;</description>
      <pubDate>Mon, 13 Dec 2021 15:39:32 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883082#M95644</guid>
      <dc:creator>eucninja3</dc:creator>
      <dc:date>2021-12-13T15:39:32Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883121#M95649</link>
      <description>&lt;P&gt;edit&lt;/P&gt;</description>
      <pubDate>Mon, 13 Dec 2021 17:57:58 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883121#M95649</guid>
      <dc:creator>matthewgONCU</dc:creator>
      <dc:date>2021-12-13T17:57:58Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883127#M95650</link>
      <description>&lt;P&gt;&lt;a href="https://communities.vmware.com/t5/user/viewprofilepage/user-id/3606390"&gt;@matthewgONCU&lt;/a&gt;&amp;nbsp; vmware often doesn't consistently refer to registry keys and values correctly.&lt;/P&gt;&lt;P&gt;edit JVMOptions value that you have selected and append &lt;SPAN&gt;&amp;nbsp; -Dlog4j2.formatMsgNoLookups=true&amp;nbsp; to it. e.g. j&lt;/SPAN&gt;ust follow the syntax of the other values.&amp;nbsp; Presumably there may be different data for JVMoptions, but since yours appears to be the same as mine this reg illustrates the intent:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Windows Registry Editor Version 5.00&lt;/P&gt;&lt;P&gt;[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Node Manager\JVM]&lt;BR /&gt;"JVMoptions"="-Xmx32m -Djdk.tls.ephemeralDHKeySize=2048 -Dlog4j2.formatMsgNoLookups=true"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;YMMV&lt;/P&gt;</description>
      <pubDate>Mon, 13 Dec 2021 18:36:32 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883127#M95650</guid>
      <dc:creator>BenTrojahn</dc:creator>
      <dc:date>2021-12-13T18:36:32Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883690#M95702</link>
      <description>&lt;P&gt;Can we get clarification, does&amp;nbsp;&lt;SPAN&gt;-Dlog4j2.formatMsgNoLookups=true actually mitigate the vulnerability at all? From what our Security team is telling us with the second vulnerability in Log4j discovered, this mitigation is now worthless and easily&amp;nbsp;&lt;/SPAN&gt;bypassed. They are saying that the only true mitigation is updating the Log4j component to version 2.16, which was just released.&lt;/P&gt;</description>
      <pubDate>Wed, 15 Dec 2021 17:41:25 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883690#M95702</guid>
      <dc:creator>Melandrach</dc:creator>
      <dc:date>2021-12-15T17:41:25Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883725#M95704</link>
      <description>&lt;P&gt;VMWare just release this statement&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;&lt;SPAN&gt;Notice:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN&gt; On December 14, 2021 the &lt;/SPAN&gt;&lt;A href="https://logging.apache.org/log4j/2.x/security.html" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;Apache Software Foundation notified the community&lt;/SPAN&gt;&lt;/A&gt; &lt;SPAN&gt;that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believe the instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers we must assume this workaround may not adequately address all attack vectors.&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;We expect to fully address both CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16 in forthcoming releases of vCenter Server, as outlined by our software support policies. &lt;/SPAN&gt;&lt;A href="https://www.vmware.com/security/advisories/VMSA-2021-0028.html" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;VMSA-2021-0028&lt;/SPAN&gt;&lt;/A&gt; &lt;SPAN&gt;will be updated when these releases are available. In the interim, we will be updating this Knowledge Base article with revised guidance to remove all JndiLookup classes per Apache Software Foundation guidance. Please subscribe to this article to be informed when updates are published.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 15 Dec 2021 20:12:02 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883725#M95704</guid>
      <dc:creator>coreyberla</dc:creator>
      <dc:date>2021-12-15T20:12:02Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883744#M95706</link>
      <description>&lt;P&gt;VMWare's way of saying - "Look to your own defenses"&lt;/P&gt;</description>
      <pubDate>Wed, 15 Dec 2021 21:34:08 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883744#M95706</guid>
      <dc:creator>jmacdaddy</dc:creator>
      <dc:date>2021-12-15T21:34:08Z</dc:date>
    </item>
    <item>
      <title>Re: Does Log4j vulnerability CVE-2021-44228 affect any Horizon components</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883749#M95707</link>
      <description>&lt;P&gt;Actually I'd intepret that more as patches are the only real option, and the unfortunalty will take time. They are frequently updating the information which is the best we can get right now, and to clarify I don't work for vmware.&lt;/P&gt;</description>
      <pubDate>Wed, 15 Dec 2021 21:45:42 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Does-Log4j-vulnerability-CVE-2021-44228-affect-any-Horizon/m-p/2883749#M95707</guid>
      <dc:creator>sjesse</dc:creator>
      <dc:date>2021-12-15T21:45:42Z</dc:date>
    </item>
  </channel>
</rss>

