I have heard some confusion from customers about the proper way to remediate Horizon environments for LOG4J.  I wanted to review the highlights for you.

If you operate a VMware Horizon environment please take a moment and review the following notes:

• Verify your installed Horizon releases are from December 19th – The Apache software foundation released updated guidance after VMware initially published a release for Horizon on December 16th.  The new guidance required updates which were made available on December 19th.
• Verify you have updated all affected Horizon components – The components affected will vary based on the version you are running (as not all versions used the LOG4J component).  Affected components can include:
  • Connection Server / Security Server
  • HTML Access
  • Universal Access Gateway
  • Horizon Agents for Windows and Linux
  • Cloud Connector
  • vRealize Operations for Horizon Desktop Agent

All of this information is covered in detail by KB 87073.

For links to guidance on all VMware products affected by LOG4J – please refer to the VMware Security Advisory – VMSA-2021-0028.