This is a CRITICAL Advisory with the highest possible severity (CVSSv3 score of 10 out of 10) VMSA-2021-0028

VMware published security advisory, VMSA-2021-0028, which impacts many VMware products through a Remote Code Execution (RCE) vulnerability via Apache Log4j.  This is a CRITICAL Advisory with the highest possible severity (CVSSv3 score of 10 out of 10). 

The VMSA will be the source of truth for all developments around this issue:  Evaluation is still underway, but a list of known affected products is included below.  As of this note, workarounds are available for Horizon Connection Server & Agent, vRealize Operations & Cloud Proxy, NSX-T Data Center, and HCX.  More updates to this advisory, including applicable workaround links, are expected throughout the weekend.

 Impacted Products (Under Evaluation):

  • VMware Horizon
  • VMware vCenter Server
  • VMware HCX
  • VMware NSX-T Data Center
  • VMware Unified Access Gateway
  • VMware WorkspaceOne Access
  • VMware Identity Manager 
  • VMware vRealize Operations
  • VMware vRealize Operations Cloud Proxy
  • VMware vRealize Log Insight
  • VMware vRealize Automation
  • VMware Telco Cloud Automation
  • VMware Site Recovery Manager
  • VMware Carbon Black Cloud Workload Appliance
  • VMware Tanzu GemFire
  • VMware Tanzu Greenplum
  • VMware Tanzu Operations Manager
  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Kubernetes Grid Integrated Edition
  • VMware Tanzu Observability by Wavefront Nozzle
  • Healthwatch for Tanzu Application Service
  • Spring Cloud Services for VMware Tanzu
  • Spring Cloud Gateway for VMware Tanzu
  • Spring Cloud Gateway for Kubernetes
  • API Portal for VMware Tanzu
  • Single Sign-On for VMware Tanzu Application Service
  • App Metrics
  • VMware vCenter Cloud Gateway
  • VMware Tanzu SQL with MySQL for VMs
  • vRealize Orchestrator
  • (Additional products will be added)


FIRST CVSSv3 Calculator:
CVE-2021-44228: (10.0)

Mitre CVE Dictionary Links:

Please like and share to spread the knowledge in the community.

If you want to chat with me please use Twitter: @AngrySysOps

Visit my FB page:

Read my blog:

Subscribe to my channel :

Please leave the comment