Here is latest VMware Advisory:
VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
VMware VMSA-2021-0028: Questions & Answers for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
This vulnerability is an industry-wide one, in a component called “log4j” that is used to log information from Java-based software. This vulnerability is critical, rated 10 out of 10 on the CVSS 3.1 scoring scale, because it is an unauthenticated remote code execution (RCE) vulnerability, allowing attackers to run commands on affected systems by simply getting them to log a specific string.
Generally speaking, every piece of software that has ever used log4j is potentially vulnerable. VMware uses log4j as well, which is why we are reacting to this. However, this vulnerability also affects customer workloads, too. Customers need to assess their entire environment for use of log4j, in infrastructure and workloads, and remediate it as soon as possible either through patches or workarounds.
The vulnerability was announced by the Apache Foundation suddenly, as a “0-day” or “zero day” vulnerability, taking everybody by surprise. Normally a vulnerability is reported privately to the software maintainers who then have time to repair the issue and release an update so attackers don’t have a temporary advantage. That isn’t the case this time. Regardless of the timing, the ubiquitous use of log4j means that no matter when this vulnerability surfaced it was likely to have a huge impact. While disclosure going into a weekend is bad timing, it’s good that it did not happen later in the calendar year.
VMware Customers should subscribe to the VMSA mailing list and continue to monitor the VMSA page itself, as well as the linked resources like the QandA/FAQ. They also should be assessing everything else in their environment, because lots of other software incorporates log4j. This issue isn’t a VMware-specific problem, it’s an “everything everywhere” problem.