Month: December 2021

Released flexVDI Manager 3.1.13

Another security release.

  • Includes logback 1.2.9 that fixes the low severity vulnerability CVE-2021-42550. Exploiting this vulnerability requires the attacker being able to write to the logging.xml config file of the flexVDI Manager appliance.
  • We have removed the write permission of logging.xml file even for the file owner, in flexvdi Manager appliances being updated. In 3.1.12 the permission change affected only new installations.

flexVDI Manager is available for update running flexvdi-config command on the host where the current manager is running. Instructions are available here. Also it can be manually downloaded from portal.flexvdi.com, for servers not connected to the internet.

Released flexVDI Manager 3.1.12

This is mainly an security hardening release. The latest release of the flexVDI Manager appliance includes many updated components, including:

  • All available software packages of its base distro, including Linux kernel, openssl, java, and more.
  • Many updated java libraries. Specifically it includes logback 1.2.8, released yesterday. It removes all JDBC code and disables all JNDI code from the base logging framework, before any important vulnerability is found in it.
  • We have set java logging configuration read-only even for the file owner as recommended by security experts.

flexVDI does not use log4j2 logging library but logback, so it is NOT vulnerable to CVE-2021-44228 (aka log4shell). But a new attack family has been discovered, so logback has been hardened removing the functionality that may be vulnerable before some critical vulnerability is found, and we have included this hardened library release. This makes very unlikely that the latest logback and flexVDI are ever affected by something like log4shell.

Also this release fixes a bug: some stopped volatile guests generated by a desktop policy where not being automatically deleted, even with a “stop & delete” action in place. This happened when the guest was already stopped when the “stop” action was requested, so flexVDI Manager decided that the action had failed, and retried forever before deleting it.

flexVDI Manager is available for update running flexvdi-config command on the host where the current manager is running. Instructions are available here. Also it can be manually downloaded from portal.flexvdi.com, for servers not connected to the internet.

flexVDI is not affected by log4shell vulnerability (CVE-2021-44228)

We have been contacted by users worried about the possible impact of the critical CVE-2021-44228 vulnerability in the ubiquitous log4j logging framework.

flexVDI has never used or included Log4j2 in any of its components, so there is no need to update any software distributed by us because of the said vulnerability.

Stay safe.