Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
IMPORTANT: Due to additional disclosures from Apache Software Foundation, releases were updated on December 16th and workaround scripts were updated on December 19th. Customers who followed the guidance prior to these dates should apply the latest workaround or update the software to the latest build. Either can be used to address CVE-2021-44228 and CVE-2021-45046. The security vulnerabilities, CVE-2021-44228 and CVE-2021-45046, impact VMware Horizon via the Apache Log4j open-source component. This document is specific to VMware Horizon. It is recommended that you read the VMware Security Advisory (VMSA) at the following link for the latest details about this vulnerability, the impact on VMware products, and, most importantly, the versions that are fixed. This advisory is updated regularly: CVE-2021-44228 – VMSA-2021-0028 All internal and external Horizon components including Connection Server, Agent, Cloud Connector and UAG must address the log4j vulnerabilities in an urgent manner. Customers who have deployed Unified Access Gateway (UAG) as part of their Horizon environment should follow the guidance given in UAG knowledge base article 87092, in addition to the Horizon guidance provided here. This KB is being regularly updated in response to evolving information made available by Apache foundation about the log4j vulnerabilities. To stay up to date subscribe to this KB by clicking the "subscribe" link at the top right of this KB, just below the title.Note: The mitigations offered in this document are considered temporary solutions, installation of a fixed build is highly recommended.Updated builds for Horizon versions under active support are available for download at the following locations: DownloadsRelease Notes Horizon 2111 VMware Horizon 8 2111 Release Notes Horizon 7.13.1 VMware Horizon 7 version 7.13.1 Release Notes Horizon 7.10.3 VMware Horizon 7 version 7.10.3 Release Notes
The table under Resolution section, lists the Horizon components and versions impacted by CVE-2021-44228 and CVE-2021-45046. The Mitigation column lists the available fixes as well as workarounds to follow in the Workaround section to mitigate the impact if it is not possible to upgrade to a fixed version. Components that are not impacted: These components are not vulnerable since they use a non-Java technology stack: Horizon Recording ServerHorizon Recording AgentWindows Agent Direct ConnectGPO BundleEnrollment ServerJMP ServerPersona AgentView Composer These components are not vulnerable since the log4j2 appender is not in use: Universal Broker Plug-inHelp DeskvRealize Operations for Horizon Broker AgentSecurity Server For Horizon clients, only the HTML Access component is vulnerable.
Horizon Components & Versions Vulnerability Status You can use this table to review all Horizon components, which versions are vulnerable to exploitation via CVE-2021-44228 and CVE-2021-45046, links to fixed releases, and references to available workarounds to mitigate the impact if it is not possible to upgrade to a fixed release. After applying fixes or mitigations, execute the attached script "Horizon_Windows_Log4j_Mitigation.zip" without parameters to check that no vulnerabilities remain. You can also use this to keep track of which machines have had fixes or mitigations applied. See the "Scripted Mitigation for Horizon Connection Server, Agent for Windows, HTML Access portal" section below the table for details. Horizon Component(s)Version(s)Vulnerability Status for CVE-2021-44228, CVE-2021-45046 Mitigation Connection Server and HTML Access 2111 Build 8.4.0-19446835 (release date 03/08/2022) is log4j 2.17.1 based and is not vulnerable (available for customers who have a log4j 2.17.1 compliance requirement).Build 8.4.0-19067837 (release date 12/16/2021) is log4j 2.16 based and is not vulnerable.Build 8.4.0-19052438 (release date 12/14/2021) is vulnerable to CVE-2021-45046 (only if the HTML Access portal is installed).Build 8.4.0-18964782 (release date 11/30/2021) is vulnerable to both (only if the HTML Access portal is installed). Upgrade to a fixed, supported version if possible. Downloads available at: Horizon 2111Horizon 7.13.1Horizon 7.10.3 If Upgrade is not possible, in the "Workaround" section later in this document, utilize one of the following mitigations: Manual Mitigation for Horizon Connection ServerScripted Mitigation for Horizon Connection Server, Agent for Windows, HTML Access portal 2006, 2012, 2103, 2106 Vulnerable (only if HTML Access portal is installed) and should be updated to 2111. 7.13.1 Build 7.13.1-19362017 (release date 02/17/2022) is log4j 2.17.1 based and is not vulnerable (available for customers who have a log4j 2.17.1 compliance requirement).Build 7.13.1-19069458 (release date 12/16/2021) is log4j 2.16 based and is not vulnerable.Build 7.13.1-18057992 (release date 5/25/2021) is vulnerable to both (only if the HTML Access portal is installed). 7.13.0 Vulnerable (only if HTML Access portal is installed) and should be updated to 7.13.1. 7.10.3 Build 7.10.3-19361780 (release date 02/22/2022) is log4j 2.17.1 based and is not vulnerable (available for customers who have a log4j 2.17.1 compliance requirement).Build 7.10.3-19069415 (release date 12/17/2021) is log4j 2.16 based and is not vulnerable.Build 7.10.3-17056980 (release date 10/22/2020) is vulnerable to both (only if the HTML Access portal is installed). 7.10.0 - 7.10.2 Vulnerable (only if HTML Access portal is installed) and should be updated to 7.10.3 7.4.0-7.9.0, 7.12.0, 7.11.0 Vulnerable (only if HTML Access portal is installed) but are out of support and should be updated with a supported version. Windows Agent 2111 Build 8.4.0-19446757 (release date 03/08/2022) is log4j 2.17.1 based and is not vulnerable (available for customers who have a log4j 2.17.1 compliance requirement).Build 8.4.0-19066669 (release date 12/16/2021) is log4j 2.16 based and is not vulnerable.Build 8.4.0-19050221(release date 12/14/2021) and 18964730 (release date 11/30/2021) are not vulnerable but a new build has been published for mitigating the scenario where security scans will show an unused but vulnerable log4j jar. 2012, 2103, 2106 Not vulnerable since log4j2 appender is not used. 2006 Vulnerable (only if vRealize Operations feature in Horizon desktop agent is installed) and should be updated to 2111. Upgrade to a fixed, supported version if possible. Downloads available at: Horizon 2111Horizon 7.13.1Horizon 7.10.3 If Upgrade is not possible, in the "Workaround" section later in this document, utilize the following mitigations: Scripted Mitigation for Horizon Connection Server, Agent for Windows, HTML Access portal 7.13.1 Build 7.13.1-19251283 (release date 02/17/2022) is log4j 2.17.1 based and is not vulnerable (available for customers who have a log4j 2.17.1 compliance requirement).Build 7.13.1-19067315 (release date 12/16/2021) is log4j 2.16 based and is not vulnerable.Build 7.13.1-18035779 (release date 05/25/2021) is vulnerable (only if the vRealize Operations feature in Horizon desktop agent is installed). 7.13.0 Build 7.13.0-19067039 (release date 12/16/2021) is log4j 2.16 based and is not vulnerable.Build 7.13.0-16975066 (release date 10/15/2020) is vulnerable (only if the vRealize Operations feature in Horizon desktop agent is installed). 7.10.3 Build 7.10.3-19160934 (release date 02/22/2022) is log4j 2.17.1 based and is not vulnerable (available for customers who have a log4j 2.17.1 compliance requirement).Build 7.10.3-19069158 (release date 12/17/2021) is log4j 2.16 based and is not vulnerable.Build 7.10.3-17056647 (release date 10/22/2020) is vulnerable (only if the vRealize Operations feature in Horizon desktop agent is installed). 7.12.0, 7.11.0, 7.10.1, 7.10.2 and older Not vulnerable Linux Agent 2111 Build 8.4.0-19155374 (release date 03/08/2022) is log4j 2.17.1 based and is not vulnerable (available for customers who have a log4j 2.17.1 compliance requirement).Build 8.4.0-19066680 (release date 12/16/2021) is not vulnerable.Build 8.4.0-19050247 (release date 12/14/2021) is vulnerable to CVE-2021-45046.Build 8.4.0-18950695 (release date 11/30/2021) is vulnerable to both. Upgrade to a fixed, supported version if possible. Downloads available at: Horizon 2111Horizon 7.13.1 If Upgrade is not possible, in the "Workaround" section later in this document, utilize one of the following mitigations: Linux Agent mitigation for versions 2006-2111, 7.13.0 - 7.13.1, 7.12.0Scripted Mitigation for Horizon Agent for Linux 2006, 2012, 2103, 2106 Vulnerable and should be updated to 2111. 7.13.1 Build 7.13.1-19155372 (release date 02/17/2022) is log4j 2.17.1 based and is not vulnerable (available for customers who have a log4j 2.17.1 compliance requirement).Build 7.13.1-19066964 (release date 12/16/2021) is log4j 2.16 based and is not vulnerable.Build 7.13.1-18025243 (release date 05/25/2021) is vulnerable. 7.13.0 Vulnerable and should be updated to 7.13.1. 7.12.0 Vulnerable and should be updated to a supported version. 7.11.0 Vulnerable and should be updated to a supported version. Upgrade to a fixed, supported version if possible. Downloads available at: Horizon 7.13.1Horizon 7.10.3 If Upgrade is not possible, in the "Workaround" section later in this document, utilize one of the following mitigations: Linux Agent mitigation for versions 7.10.0 - 7.10.3, 7.11Scripted Mitigation for Horizon Agent for Linux 7.10.3 Build 7.10.3-19159641 (release date 02/22/2022) is log4j 2.17.1 based and is not vulnerable (available for customers who have a log4j 2.17.1 compliance requirement).Build 7.10.3-19067347 (release date 12/17/2021) is log4j 2.16 based and is not vulnerable.Build 7.10.3-16941821 (release date 10/22/2020) is vulnerable. 7.10.0-7.10.2 Vulnerable and should be updated to 7.10.3. Linux Agent Direct Connect2111 Build 8.4.0-19155374 (release date 03/08/2022) is log4j 2.17.1 based and is not vulnerable (available for customers who have a log4j 2.17.1 compliance requirement).Build 8.4.0-19066680 (release date 12/16/2021) is not vulnerable.Build 8.4.0-19050247 (release date 12/14/2021) is vulnerable to CVE-2021-45046.Build 8.4.0-18950695 (release date 11/30/2021) is vulnerable to both. Upgrade to a fixed, supported version if possible. Downloads available at: Horizon 2111 If Upgrade is not possible, in the "Workaround" section later in this document, utilize one of the following mitigations: Linux Agent mitigation for versions 2006 - 2111, 7.13.0 - 7.13.1, 7.12.0Scripted Mitigation for Horizon Agent for Linux Cloud ConnectorAll supported versions Vulnerable and should be updated to 2.1.2 version. No mitigation, should be updated to 2.1.2 version vRealize Operations for Horizon Desktop Agent6.7.1 Vulnerable, follow Windows Agent mitigation procedure. Upgrade to a fixed, supported version if possible. Downloads available at: Horizon 2111Horizon 7.13.1Horizon 7.10.3 If Upgrade is not possible, in the "Workaround" section later in this document, utilize the following mitigations: Scripted Mitigation for Horizon Connection Server, Agent for Windows, HTML Access portal
These mitigations are temporary solutions, installation of a fixed build is highly recommended. Please note the mitigations in this KB are being regularly updated in response to evolving information made available by Apache foundation about the log4j vulnerabilities. The impact of all previously published mitigations is benign, they do not need to be reverted before applying the latest mitigations and will not have an adverse impact on your Horizon deployment. Current mitigation procedures apply to the following components: Manual Mitigation for Horizon Connection ServerScripted Mitigation for Horizon Connection Server, Agent for Windows, HTML Access portalManual Mitigation for Horizon Agent for LinuxScripted Mitigation for Horizon Agent for Linux Manual Mitigation for Horizon Connection Server The following manual procedure removes the HTML Access feature from an installed Horizon Connection Server instance. This closes the vulnerability to CVE-2021-44228 and CVE-2021-45046 without updating the software. Prerequisites: As with all changes, ensure that appropriate backups are complete and verified prior to making changes.Requires Local administrator privileges. Do not bring down any connection server, keep them all running and follow this procedure on each of them, one at a time. A reboot is not needed and should not be done. 1.From Control Panel > Program & Features > Select VMWare Horizon HTML Access > Uninstall ,and wait for it to complete.2.From Control Panel > Program & Features > Select VMware Horizon Connection Server > Uninstall ,and wait for it to complete.Steps to validate successful Removal of HTML Access :1. Ensure that VMWare Horizon HTML Access is removed from the Software Installation path: Control panel\Programs\Programs and Features2. To validate that VMWare Horizon HTML Access is successfully removed, Navigate to the Path C:\Program Files\VMware\VMware View\Server\broker\webapps and check that portal war and portal folder is no longer presentRe-Installation steps for the Connection Server:1.Execute the connection server installer and choose the type Horizon Standard Server or Replica server.2.Uncheck Install HTML Access (very important).3.Click Next. A dialog box will pop up beginning “At least one Directory Services instance for the Horizon Connection Server already exists on this system.”4.Click OK and then answer the rest of the dialogs as usual.Note:If HTML Access is not already installed with Connection Server, no mitigation required. Scripted Mitigation for Horizon Connection Server, Agent for Windows, HTML Access portal Description: Following are the instructions for a BAT file mitigation script for Windows (attached to this KB as "Horizon_Windows_Log4j_Mitigation.zip") which applies to Horizon Connection/Security Server, HTML Access portal, and Horizon Agent For Windows. The script can be run without parameters to check that no vulnerabilities remain. You can also use this to keep track of which machines have had fixes or mitigations applied. If nothing more is needed, the script will output 'No vulnerable Log4j libraries detected.'. Note: Unzip "Horizon_Windows_Log4j_Mitigation.zip" to extract the Horizon_Windows_Log4j_Mitigation.bat file. Script Explanation: The script searches for all the Log4J libraries with filename pattern log4j-core*.jar under the install location.It then identifies the version of the jar from MANIFEST.MF file and if the version is between 2.0.0 to 2.15.0, both inclusive then it is considered as potentially vulnerable.For each potentially vulnerable JAR, we check if the vulnerable class (org.apache.logging.log4j.core.lookup.JndiLookup.class) is present in the JAR.If vulnerable class is found, then it is flagged as Vulnerable.In resolution mode The vulnerable CLASS file is removed from the JARs that are flagged as vulnerable.Flag -Dlog4j2.formatMsgNoLookups=true is added to the registry.Environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true is added (only for Agent).The original Log4J jar is copied in the same location with the name script.restore In restoration mode All the modified jars under install location will be replaced by the script.restore files. Pre-check In all cases, the script will make a series of checks to look for known compromise signatures. If found, the script will output 'DANGER: This system is compromised.' and exit. If this happens, do not continue to use this machine.Do not rely on this pre-check. The machine may have been compromised without any of the indicators it checks for. Prerequisites: As with all changes, ensure that appropriate backups are complete and verified prior to making changes.The script is a BAT file and doesn't need any interpreter support and can be executed as is on a command-line terminal.Note: You need to execute this script as a local administrator. Modes Of Operation: 1) Reporting: Reports whether there is a vulnerable Log4J library present or not under install location.2) Resolution: Applies mitigation: environment variable (only for Agent), registry edits, vulnerable class deletion from Log4J libraries.3) Restoration: Restores the original Log4J libraries. This mode should only be used in case of any issues arising from resolution mode. Note: For resolution and restoration modes, the following services must not be running: Connection Server: VMware Horizon View Connection Server or VMware Horizon Connection ServerSecurity Server: VMware Horizon View Security Server or VMware Horizon Security ServerAgent: VMware Horizon View Agent or VMware Horizon Agent Note: There's no need to stop other services. Supported switches: Horizon_Windows_Log4j_Mitigation.bat - Executes the script in brief Reporting mode.Horizon_Windows_Log4j_Mitigation.bat /verbose - Executes the script in extended Reporting mode.Horizon_Windows_Log4j_Mitigation.bat /resolve - Executes the script in Resolution mode with minimal output.Horizon_Windows_Log4j_Mitigation.bat /verbose /resolve - Executes the script in Resolution mode with extended output.Horizon_Windows_Log4j_Mitigation.bat /resolve /force - Executes the script in strict resolution mode. Regardless of the log4j library version present, the affected class gets deleted from all the jars/wars. This has been introduced to address security scanners that flag the jars vulnerable regardless of version.Horizon_Windows_Log4j_Mitigation.bat /restore - Executes the script in Restoration mode with minimal output.Horizon_Windows_Log4j_Mitigation.bat /verbose /restore - Executes the script in Restoration mode with extended output.Horizon_Windows_Log4j_Mitigation.bat /checkversion=version - Checks if the log4j libraries present under install folder match the provided version. Usage Example: Horizon_Windows_Log4j_Mitigation.bat /verbose /checkversion=2.16If the version matches the script outputs that the system is fully patched otherwise the system is not patched. Horizon_Windows_Log4j_Mitigation.bat /help - Displays script usage instruction on the console. Switches are order agnostic and need not be passed in a specific order. If an invalid switch is passed, the script will exit and display usage instructions. Manual Mitigation for Horizon Agent for Linux Prerequisites: As with all changes, ensure that appropriate backups are complete and verified prior to making changes.Requires local administrator privileges. Notes: The mitigation will be undone if the software is reinstalled, so you will need to repeat the procedures again.The following space for the parameter is required.The parameter added is case sensitive. Linux Agent mitigation for version 2006 - 2111, 7.13.0 - 7.13.1, 7.12.0 Manual procedure for Linux Agent: Remove the JndiLookup class. sudo zip -q -d $(find /usr/lib/vmware/viewagent/ -name log4j-core.jar 2>/dev/null) org/apache/logging/log4j/core/lookup/JndiLookup.class Disable all lookups with property settings. Edit the following files with root privileges if they exist( do not create them if they do not exist) /usr/lib/vmware/viewagent/bin/StartAgent.sh /etc/rc.d/init.d/viewagent /etc/init/viewagent.conf /etc/init.d/viewagent.suseFind the text: -Dfile.encoding=UTF-8Modify the text to (Do not copy paste. Type it manually): -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 e.g. Before: exec ${exec} -Dfile.encoding=UTF-8 After: exec ${exec} -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 Save and exit the file. Restart the viewagent service by running below command. sudo service viewagent restart Linux Agent mitigation for versions 7.10.0 - 7.10.3, 7.11 Manual procedure for the Linux Agent Locate the log4j-core.jar by running the following command. find /usr/lib/vmware/viewagent/ -name log4j-core.jar 2>/dev/null Backup the file found in step 1, e.g. sudo cp /usr/lib/vmware/viewagent/java/log4j-core.jar /usr/lib/vmware/viewagent/java/log4j-core.jar.bak Remove the JndiLookup class from the classpath by running the following command. sudo zip -q -d $(find /usr/lib/vmware/viewagent/ -name log4j-core.jar 2>/dev/null) org/apache/logging/log4j/core/lookup/JndiLookup.class To verify the workaround for CVE-2021-44228 has been correctly applied to Linux Agent, run following command. unzip -l $(find /usr/lib/vmware/viewagent/ -name log4j-core.jar 2>/dev/null) | grep JndiLookup.class | grep -v grep Note: There should not be output from the above command. If there was output on any particular Horizon Linux Agent, that Horizon Linux Agent was not successfully modified. Redo the steps on that Horizon Linux Agent following the instructions above. Restart the view agent service by running the following command. sudo service viewagent restart Note: The mitigation will be undone if the software is reinstalled, so you will need to repeat the edits again. Scripted Mitigation for Horizon Agent for Linux Following are usage instructions for a mitigation shell script file for Linux ( attached to this KB as "Horizon_Linux_Log4j_Mitigation.zip") which applies to the Horizon Linux Agent.Usage: Horizon_Linux_Log4j_Mitigation.sh -a apply mitigationHorizon_Linux_Log4j_Mitigation.sh -r restore mitigationHorizon_Linux_Log4j_Mitigation.sh -v check if Linux Agent is vulnerableHorizon_Linux_Log4j_Mitigation.sh -h display this help and exit Note: Unzip "Horizon_Linux_Log4j_Mitigation.zip" to extract the Horizon_Linux_Log4j_Mitigation.sh file.
Revision History Revision Date Changed 03/31/2022 Added additional Manual Mitigation for Horizon Connection Server steps 03/10/2022 Added build information for release of 2111 log4j 2.17.1 based builds 02/23/2022 Added more detailed build numbersAdded build information for release of 7.13.1 and 7.10.3 log4j 2.17.1 based builds 01/12/2022 Revised Linux agent workaround script that corrects a benign error which output a false error message when no parameters were provided when running the script on an Ubuntu systemRevised Windows script with additional switches: /help, /checkversion, /force and extends patching to the war fileAdded details to table in Resolution section regarding latest released buildsGeneral wording improvements for clarity & emphasis 12/22/2021 Added new scripted mitigation for Horizon Agent for Linux as an attached shell script. This script replaces prior mitigation scripts for the Linux agent and applies to versions 7.10 through 2111. 12/19/2021 Updated component vulnerability status table to show availability of fixed builds where applicable, and links to relevant workarounds.Updated Resolution section with links to release notes for patched builds.Vulnerability statuses & mitigations updated to consider both CVE-2021-44228 and CVE-2021-45046.Previous Windows and Linux based mitigations removed as they were not completely effective in light of newest information from Apache.New mitigations added that both remove JndiLookup.class as well as set Dlog4j2.formatMsgNoLookups to True. Manual mitigation for Connection ServerCombined scripted workaround for Connection Server, Windows Agent, and HTML Access portalManual & scripted mitigations for Linux Agent General clarity improvements. 12/14/2021 Edited text in Impact table to clarify under which conditions components are vulnerable.Added Horizon Agent for Windows Manual mitigation procedure.Updated Horizon Agent for Windows information in Impact table.Updated Resolution section to correct & clarify which component versions mitigations apply to.Added clarifying text before Horizon Connection Server manual mitigation procedure based on feedback. 12/12/2021 Impact table added to show vulnerability & workaround status of all Horizon components.Connection Server manual workaround procedure updated to address minimal set of required registry keys.Scripted workaround for Connection Server added.Windows Agent manual workaround procedures removed pending further investigation of completeness of workaround.Linux agent manual workaround procedures added. 12/10/2021 NA, original version