VMware Releases Security Updates for vCenter Version 7.x

VMware has released out-of-band updates to address the Log4Shell vulnerability in vCenter Server 7.x

Threat ID:: CC-4026
Threat Severity:: High
Published:: 28 January 2022 12:42 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

VMware has released out-of-band updates to address the Log4Shell vulnerability in vCenter Server 7.x

Affected platforms

The following platforms are known to be affected:

Versions: 7.0 prior to 7.0 Update 3 c

VMware vCenter Server

Threat details

Future vCenter alerts

Please note this alert only relates to vCenter Server 7.x. Future alerts will cover other vCenter Server versions as and when patches are released by VMware.

Introduction

VMware has released out-of-band security updates to address the Log4Shell vulnerabilities in their vCenter Server management software. They claim that an unauthenticated remote attacker could exploit these vulnerabilities to take control of an affected vCenter Server instance.

NHS Digital response to Log4Shell

This alert is part of NHS Digital's wider response to Log4Shell. For more information on Log4Shell itself, please visit our cyber alerts article Log4Shell RCE Vulnerability CC-3989.

NHS and social care organisations are invited to use the Cyber Associates Network to find out additional information and participate in discussion about the Log4Shell remote code execution vulnerability and affected products.

VMware vCenter Products Under Active Exploitation

The Log4Shell vulnerability within VMware vCenter products is being actively targeted and exploited. VMware products have been targeted by advanced persistent threat groups historically.

Remediation advice

Affected organisations are encouraged to review VMware's vCenter 7.0 Update 3 C Release Notes and apply the relevant updates immediately.

CVE Vulnerabilities

Status Published

CVE-2021-44228

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Last edited: 28 January 2022 12:42 pm