- Strength in Numbers: The White House Open Source Security Summit
- VMware Named One of America’s Most JUST Companies for 5th Consecutive Year, Awarded Top Environmental Ranking
- Green Software Foundation publishes code efficiency metric, welcomes VMware
- Time to ditch your cloud strategy for a workload placement strategy?
- VMware Multi-Cloud Briefing: January 2022
- vExpert Cloud Management December 2021 Blog Digest
- Innovating Security, What Happens First? With Karen Worstell, Senior Cybersecurity Strategist at VMware
- Virtually Speaking Podcast: Traditional Licensing VS SaaS
- Moving from a Product to a SaaS Mindset
- Nvidia releases updates to AI enterprise suite: Full integration with VMware Tanzu
- Announcing Availability of vSphere 7 Update 3c
- VMware-AWS partnership focuses on scaling and securing the ‘distributed cloud’
- VMware: A Look Ahead at 2022
- Podcast: VMware CEO Raghu Raghuram with IDC President Crawford Del Prete
- White House hosts open-source software security summit in light of expansive Log4j flaw
- Announcing NSX-T 3.2: Innovations in Multi-Cloud Security, Networking, and Operations
- VMware NSX 3.2 Delivers New, Advanced Security Capabilities
- Better Together: Self-Service and Decision Automation for NSX-T 3.2
- Onboarding at VMware: A Virtually Fulfilling Employee Experience
- Cisco, VMware Ask: Does Remote Work Actually Lower Carbon Emissions?
- Applied Chemicals Intl Group gives staff secure remote access with VMware
- Kubernetes in 5 mins
- What Is Kubernetes? 7 Fast Facts From the Founders
- Kubernetes For The VI Admin
- Introducing KubeAcademy Pro: In-Depth Kubernetes Training, Totally Free
- A superior multi-cloud developer experience on Kubernetes
- VMware brings Tanzu Application Platform into GA to ease Kubernetes adoption
- Jan 12 – VMware Tanzu: A Year in Review
- Jan 27 – Getting Started with VMware Tanzu Application Platform
- Getting Started with VMware Tanzu Community Edition
- What don’t people understand about DevOps (yet)?
- VMware {code}: A Year In Review 2021
- VMware Tanzu Momentum Empowers Superior Developer Experiences, Enables Robust Security Practices
- QA Analytics and Its Countless Possibilities
- What’s New in vRealize Network Insight Cloud and vRealize Network Insight 6.4 for NSX-T 3.2
- Explore the complete list of ports required by different VMware products
- VMware and Fidelity named among Glassdoor’s Best Places to Work 2022
Tag: LOG4J
VMware Response to Apache Log4j Remote Code Execution Vulnerability
Here is latest VMware Advisory:
VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
VMware VMSA-2021-0028: Questions & Answers for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
https://core.vmware.com/vmsa-2021-0028-questions-answers-faq
This vulnerability is an industry-wide one, in a component called “log4j” that is used to log information from Java-based software. This vulnerability is critical, rated 10 out of 10 on the CVSS 3.1 scoring scale, because it is an unauthenticated remote code execution (RCE) vulnerability, allowing attackers to run commands on affected systems by simply getting them to log a specific string.
Generally speaking, every piece of software that has ever used log4j is potentially vulnerable. VMware uses log4j as well, which is why we are reacting to this. However, this vulnerability also affects customer workloads, too. Customers need to assess their entire environment for use of log4j, in infrastructure and workloads, and remediate it as soon as possible either through patches or workarounds.
The vulnerability was announced by the Apache Foundation suddenly, as a “0-day” or “zero day” vulnerability, taking everybody by surprise. Normally a vulnerability is reported privately to the software maintainers who then have time to repair the issue and release an update so attackers don’t have a temporary advantage. That isn’t the case this time. Regardless of the timing, the ubiquitous use of log4j means that no matter when this vulnerability surfaced it was likely to have a huge impact. While disclosure going into a weekend is bad timing, it’s good that it did not happen later in the calendar year.
VMware Customers should subscribe to the VMSA mailing list and continue to monitor the VMSA page itself, as well as the linked resources like the QandA/FAQ. They also should be assessing everything else in their environment, because lots of other software incorporates log4j. This issue isn’t a VMware-specific problem, it’s an “everything everywhere” problem.
Live Virtually 