VMware Horizon LOG4J Remediation – did you apply the right patch?
I have heard some confusion from customers about the proper way to remediate Horizon environments for LOG4J. I wanted to review the highlights for you.
If you operate a VMware Horizon environment please take a moment and review the following notes:
- Verify your installed Horizon releases are from December 19th – The Apache software foundation released updated guidance after VMware initially published a release for Horizon on December 16th. The new guidance required updates which were made available on December 19th.
- Verify you have updated all affected Horizon components – The components affected will vary based on the version you are running (as not all versions used the LOG4J component). Affected components can include:
- Connection Server / Security Server
- HTML Access
- Universal Access Gateway
- Horizon Agents for Windows and Linux
- Cloud Connector
- vRealize Operations for Horizon Desktop Agent
All of this information is covered in detail by KB 87073.
For links to guidance on all VMware products affected by LOG4J – please refer to the VMware Security Advisory – VMSA-2021-0028.