NSX Advanced Load Balancer (Avi) and CVE-2021-44228
search cancel

NSX Advanced Load Balancer (Avi) and CVE-2021-44228

book

Article ID: 317232

calendar_today

Updated On:

Products

VMware

Issue/Introduction

Impact of CVE-2021-44228 on NSX Advanced Load Balancer (Avi)



    Resolution

    As mentioned in VMware KB VMware Response to CVE-2021-44228: Apache Log4j Remote Code Execution (87068), VMware NSX Advanced Load Balancer (Avi) is not vulnerable to CVE-2021-44228.

    This document provides additional guidance regarding the CVE and its applicability to NSX Advanced Load Balancer (Avi).
     

    Details

    NSX Advanced Load Balancer (Avi) comprises of two components: The Control Plane and the Data Plane

     

    Avi Data Plane

    The Avi data plane is NOT vulnerable to attacks detailed in the CVE.

     

    Avi Control Plane

    The Avi Control Plane provides customers with a point of management, and can be accessed via the UI, CLI, or the REST API. The Avi Control Plane runs in a secure environment, and is isolated from end-user traffic.

    The Avi Controller is NOT vulnerable to the attacks detailed in the CVE.

     

    Additional Information on Avi Control Plane

    The Avi Controller uses Elasticsearch to index application logs from Virtual Service traffic.

    Our analysis confirms that attackers cannot exploit the vulnerability to their advantage, as data is stored in Elasticsearch but not logged using the vulnerable framework.The logging framework is not made available to the end user directly, and we do not see a case where a malicious lookup can be made to the Controller, given the architecture and specific, contained use of Elasticsearch

     

    While we are confident that NSX Advanced Load Balancer (Avi) is not vulnerable to the CVE, out of an abundance of caution and in-line with security best practices, an optional patch to disable the JndiLookup Class will be released.

     

    Patch Details

    Patches have been released and made available for the following releases:

    • 21.1.2-2p4
    • 21.1.1-2p5
    • 20.1.7-2p7
    • 20.1.6-2p11
    • 20.1.4-2p21

    In addition, future releases, starting from the following, will have the JndiLookup Class disabled:

    • 21.1.3
    • 20.1.8


    Additional Information

    1. VMware Security Advisory - VMSA-2021-0028.1 (vmware.com)
    2. VMware Response KB - VMware Response to CVE-2021-44228: Apache Log4j Remote Code Execution (87068)

    Change log:

    • December 15th 2021 - 08:10 PST: Updated the released patch versions information.


    Powered by Wolken Software