VMware products will update open source components (including log4j) to the latest available versions in future releases. Going forward new log4j vulnerabilities will continue to be evaluated to determine severity and applicability to VMware products, but will not be referenced in this advisory. VMware has investigated and has found no evidence that these vulnerabilities are exploitable in VMware products.
7: A pair of new vulnerabilities identified by CVE-2021-45105 and CVE-2021-44832 have been disclosed by the Apache Software Foundation that impact log4j releases prior to 2.17.1 in non-default configurations.7: The Apache Software Foundation updated the severity of CVE-2021-45046 to 9.0, in response we have aligned our advisory.In response, VMware has aligned with the new guidance and will be updating associated documentation with workarounds and fixes to address both vulnerabilities completely. In addition, a new vulnerability identified by CVE-2021-45046 was published. 4: The Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds were not sufficient in removing all possible attack vectors.3: Unaffected VMware products can be referred to on the Knowledge Base article:.1: A supplemental blog post & frequently asked questions list was created for additional clarification.0: Exploitation attempts in the wild of CVE-2021-44228 have been confirmed by VMware.VMware vRealize Operations Management Pack.VMware vRealize Operations Tenant App for VMware Cloud Director.VMware Harbor Container Registry for TKGI.VMware Cloud Provider Lifecycle Manager.VMware Cloud Director Object Storage Extension.Single Sign-On for VMware Tanzu Application Service.Healthwatch for Tanzu Application Service.VMware Tanzu Observability by Wavefront Nozzle.VMware Tanzu Kubernetes Grid Integrated Edition.VMware Tanzu Application Service for VMs.VMware Tanzu Greenplum Platform Extension Framework.VMware Carbon Black Cloud Workload Appliance.VMware Site Recovery Manager, vSphere Replication.VMware vRealize Operations Cloud (Cloud Proxy).