VMware has released new a critical security advisory, VMSA-2021-0028. This advisory is for multiple VMware products that use the popular open-source log4j Java logging component, which was discovered to have a critical vulnerability in it (CVE-2021-44228)
This needs your immediate attention, not just at the VMware product level, but also for all other software in your environment. The log4j component is used by many vendors and software packages. For more information about the VMware products please visit https://www.vmware.com/security/advisories/VMSA-2021-0028.html
For Horizon DaaS 9.0.x and Horizon DaaS 9.1.x. a workaround is provided in the form of a hotfix. The hotfix should be applied to remediate the CVE-2021-44228.
To apply the workaround for Horizon DaaS you should download the 2 hotfixes (Hotfix for Service Provider appliances and Hotfix for Tenant Appliances) from the Horizon DaaS downloads page on https://customerconnect.vmware.com
- Horizon DaaS 9.1.1
- Horizon DaaS 9.1.0
- Horizon DaaS 9.0.3
The hotfix can be found in the section “Hotfix for Log4j remote code execution Vulnerability (CVE-2021-44228)”
The following steps are needed to install the hotfixes.
- Upload the hotfix files
- Horizon DaaS Artifact Upload to make the hotfixes available in the Horizon DaaS Version Manager (HVM)
- Refresh Hotfix List
- Apply Hotfix to the Horizon DaaS Management Appliaces
- Apply Hotfix to the Horizon DaaS Tenant Appliances
- Reboot all the appliances one by one. SP appliances, RM appliances and then TN appliances.
For the full and detailed steps please check https://www.geursen.net/horizon-daas-9-0-1-upgrade/
UAG/Workspace ONE Access
For VMware UAG and VMware Workspace ONE Access workarounds are provided as well. Please check the following KB articles.
- Unified Access Gateway
- Workspace ONE Access
I hope this post helps in patching the Horizon DaaS environment. If you need help or if you have any questions about the installation of the hotfixes please let me know and leave a comment.