Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
CVE-2021-44228 and CVE-2021-45046 have been determined to impact Horizon DaaS and Horizon Agents Installer via the Apache Log4j open source component it ships. This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing: CVE-2021-44228 and CVE-2021-45046 – VMSA-2021-0028
Horizon DaaS :CVE-2021-44228 and CVE-2021-45046 have been resolved in Horizon DaaS 9.1.2 and newer versions. VMware recommends that you upgrade to Horizon DaaS 9.1.2 or newer version as soon as possible to resolve these issues.The work arounds described ahead in this document are meant to be temporary solution only and are applicable to the following versions (prior to Horizon DaaS 9.1.2) : VMware Horizon DaaS 9.0.X VMware Horizon DaaS 9.1.X (up to 9.1.1) Horizon Agents Installer :Horizon Agents Installer versions that are listed below as Vulnerable must be upgraded immediately to resolve these issues. Horizon DaaS VersionHorizon Agents Installer (HAI) VersionStatus 9.1.x21.3.0, 20.4.0Not VulnerableNo manual mitigation is required9.1.x, 9.0.x20.3.1VulnerableCustomer action is required. Upgrade to new HAI version: 20.3.1 (build 19264881) Upgrade via Auto Agent Update or other preferred methods9.1.x, 9.0.x20.3.0VulnerableCustomer action is required. Upgrade to new HAI version: 20.3.0 (build 19264895) Upgrade via Auto Agent Update
To apply the workaround for CVE-2021-44228 and CVE-2021-45046 to Horizon DaaS perform the following steps: Download the hotfix from the Horizon DaaS downloads page on customerconnect.vmware.com. Horizon Daas 9.1.1 https://customerconnect.vmware.com/downloads/details?downloadGroup=HORIZON_DAAS_912&productId=1109&rPId=86729 Horizon DaaS 9.1.0 https://customerconnect.vmware.com/downloads/details?downloadGroup=HORIZON_DAAS_910&productId=1109&rPId=86729 Horizon DaaS 9.0.1 and later https://customerconnect.vmware.com/downloads/details?downloadGroup=HORIZON_DAAS_900&productId=998&rPId=73744 The hot fix can be found in the section “Hotfix for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228 and CVE-2021-45046)“ and two files are provided: Hotfix for Service Provider appliances Hotfix for Tenant appliances Copy and deploy the hotfix as described in the Horizon DaaS documentation which can be found here. In summary, the steps are: Download the tgz file for the relevant release from customerconnect.vmware.com For Linux/Mac user use "Upload Artifacts to Horizon Version Manager" job from the rundeck UI to upload the tgz file into HVM. (Job Found in Rundeck UI --> Projects --> Horizon-DaaS-Artifact-Upload) For windows users copy the tgz file to HVM under location "/opt/vmware/hvm/hotfixes". In case file is manually copied to /opt/hvm/hotfixes, ensure file permissions and ownership is set as below. For example: $ chmod 744 file1.tgz $ chown -R rundeck:rundeck file1.tgz From Rundeck UI First run "Refresh Hotfix List" job. (Job Found in Rundeck UI --> Projects --> Horizon-DaaS-HotFix-Management) From Rundeck UI Run "Apply Hotfix to DaaS Appliances" job by providing appropriate information to the UI. (Job Found in Rundeck UI --> Projects --> Horizon-DaaS-HotFix-Management) Select Correct Org-Daas-version and correct Hotfix name in Rundeck. Then Run the Job. For this Hotfix you need to Reboot your appliances. Steps to Reboot: - 1. Login to Service Portal. 2. Go to Appliances Page (appliances -> browse appliances) 3. Click on the SP appliances and got to action. 4. Click on Reboot Appliances 5. Select HA pair and click ok 6. Wait for it to complete rebooting (Might need to login again to service portal). 7. Repeat for all other appliances where Hotfix has been applied. To verify the workaround for CVE-2021-44228 and CVE-2021-45046 has been correctly applied to <Product Name> perform the following steps: Log into the patched Tenant Applicance and in the root directory run the following: sudo find /usr -name log4j-core*.jar For 9.1.X versions the output will be: /usr/local/desktone/release/dt-platform-21_1_0/deploy/dt-tenant-node-21.1.0-bin/appblast/WEB-INF/lib/log4j-core-2.16.0.jar /usr/local/desktone/release/dt-platform-21_1_0/deploy/dt-tenant-node-21.1.0-bin/horizonadmin/WEB-INF/lib/log4j-core-2.16.0.jar /usr/local/desktone/release/dt-platform-21_1_0/deploy/dt-deployer-lib-21.1.0-bin/lib/log4j-core-2.16.0.jar For 9.0.X versions the output will be: /usr/local/desktone/release/dt-platform-20_2_0/deploy/dt-tenant-node-20.2.0-bin/horizonadmin/WEB-INF/lib/log4j-core-2.16.0.jar /usr/local/desktone/release/dt-platform-20_2_0/deploy/dt-tenant-node-20.2.0-bin/appblast/WEB-INF/lib/log4j-core-2.16.0.jar /usr/local/desktone/release/dt-platform-20_2_0/deploy/dt-deployer-lib-20.2.0-bin/lib/log4j-core-2.16.0.jar (Confirm that all versions of log4j list are shown as log4j-core-2.16.0.jar) This hot fix prevents exploitation of the log4j vulnerability (CVE-2021-44228 and CVE-2021-45046) by using an updated version of log4j that cannot be exploited due to this vulnerability. To revert the workaround for CVE-2021-44228 and CVE-2021-45046 to Horizon DaaS perform the following steps: Follow the directions for the Hotfix management tool under the section “Revert Appliances to a Pre-Hotfix State”.
Please see the following links to the documentation on how to perform an upgrade of the Horizon Agent using Agent Auto Update.Horizon DaaS 9.1.x - Updating Agent-Related SoftwareHorizon DaaS 9.0.x -Update Agent Software for an AssignmentUpdate Agent Software for an Image