Impact analysis of CVE-2021-44228 on VMware NSX Lastline Defender Hosted/SaaS
search cancel

Impact analysis of CVE-2021-44228 on VMware NSX Lastline Defender Hosted/SaaS

book

Article ID: 330003

calendar_today

Updated On:

Products

VMware

Issue/Introduction

VMware NSX Lastline Defender Hosted is not impacted by CVE-2021-44228. While the product captures inputs from untrusted sources (e.g., network traffic captured on a customer network) and stores parts of this data in Elasticsearch, our analysis shows that attackers cannot exploit the vulnerability to their advantage, as data is stored in Elasticsearch but not logged using the vulnerable framework. Furthermore, while authenticated Lastline customers may indirectly interact with Elasticsearch by performing queries against the product search API or via Kibana, no user-provided data is used in the vulnerable component: Elastic issued a statement saying that Elasticsearch is not vulnerable to the Remote Code Execution (RCE) vulnerability , and our analysis determined that no user data is sent directly to Elasticsearch, which also prevents the related Server Side Request Forgery (SSRF) attack that Elasticsearch would otherwise be vulnerable to.

To avoid any confusion or risk, we have released a patch to all customer cloud services. Lastline Defender Sensor appliances are not affected by the vulnerability.

This vulnerability and its impact on VMware products are documented in the following VMware Security Advisory (VMSA), please review this document before continuing:
•    CVE-2021-44228 – VMSA-2021-0028

Resolution

While we have not identified any case where user data may be used by the vulnerable component, we have performed an update of internal Lastline Defender cloud services. This update was completed on 10/12/2021 7:00 pm PST.

Parts of the Lastline cloud services are deployed on Elastic Cloud, and we are working with the service provider on a resolution.

As no Lastline Defender appliances are affected, no customer action is required at this time.




Workaround:
All services have been patched, no workarounds are required.