Normally I wouldn’t write about a minor release but in this case I think it’s worth mentioning. On 18th January, VMware released version 8.6.2 of vRealize Automation. The big item in this release is that log4j has been updated to resolve some of the vulnerabilities that have been discovered.
Log4J Updated to 2.17
Starting in December 2021, a number of vulernerabilities were discovered in the Log4J logging utility. Log4j is used in a lot of other products to allow easy logging functionality. The first vulnerability, dubbed “Log4Shell”, was given a CVSS score of 10. The CVE ID assigned was CVE-2021-44228. As per the Release Notes, this is one of the CVEs that 8.6.2 resolves.
The second vulnerability mentioned in the Release Notes is CVE-2021-45046. Like the first vulnerability, it can also be exploited remotely and was considered quite severe. There have been two further vulnerabilities that have been discovered, however according to VMware, they can’t be exploited on their products.
One key interface change is the Deployments tab is now called Resources. It seems the intent here is to create a consolidated view of all resources and integrate day 2 actions. There’s also the ability to quickly create a simple VM in this area, without the need for a Cloud Template. How useful that ends up being is up for debate.
As with a lot of the updates over 2021, this one adds a few nice improvements. The official fix for Log4j is reason enough to get on this version.