Timur Galeev Posted on Dec 13, 2021 Critical New 0-day Vulnerability in Popular Log4j Library - List of applications #devops #codequality #codereview Akamai : https://www.akamai.com/blog/news/CVE-2021-44228-Zero-Day-Vulnerability Apache Druid : https://github.com/apache/druid/pull/12051 Apache Flink : https://flink.apache.org/2021/12/10/log4j-cve.html Apache LOG4J : https://logging.apache.org/log4j/2.x/security.html Apache Kafka : https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv Apache Solr : https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 Apache Struts : https://struts.apache.org/announce-2021#a20211212-2 Apero CAS : https://apereo.github.io/2021/12/11/log4j-vuln/ APPSHEET : https://community.appsheet.com/t/appsheet-statement-on-log4j-vulnerability-cve-2021-44228/59976 Aptible : https://status.aptible.com/incidents/gk1rh440h36s?u=zfbcrbt2lkv4 Atlassian : https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html Automox : https://blog.automox.com/log4j-critical-vulnerability-scores-a-10 Avantra SYSLINK : https://support.avantra.com/support/solutions/articles/44002291388-cve-2021-44228-log4j-2-vulnerability Avaya : https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609 AWS New : https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ AWS OLD: https://aws.amazon.com/security/security-bulletins/AWS-2021-005/ AZURE Datalake store java : https://github.com/Azure/azure-data-lake-store-java/blob/ed5d6304783286c3cfff0a1dee457a922e23ad48/CHANGES.md#version-2310 BACKBLAZE : https://twitter.com/backblaze/status/1469477224277368838 BitDefender : https://businessinsights.bitdefender.com/security-advisory-bitdefender-response-to-critical-0-day-apache-log4j2-vulnerability BitNami By VMware : https://docs.bitnami.com/general/security/security-2021-12-10/ BMC Software : https://community.bmc.com/s/news/aA33n000000TSUdCAO/bmc-security-advisory-for-cve202144228-log4shell-vulnerability Boomi DELL : https://community.boomi.com/s/question/0D56S00009UQkx4SAD/is-boomi-installation-moleculegateway-protected-from-cve202144228-log4j Broadcom : https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793 CarbonBlack : https://community.carbonblack.com/t5/Threat-Research-Docs/Log4Shell-Log4j-Remote-Code-Execution-CVE-2021-44228/ta-p/109134 Cerberus FTP : https://support.cerberusftp.com/hc/en-us/articles/4412448183571-Cerberus-is-not-affected-by-CVE-2021-44228-log4j-0-day-vulnerability CheckPoint : https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk176865&partition=General&product=IPS Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd Citrix : https://support.citrix.com/article/CTX335705 CloudFlare : https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/ CPanel : https://forums.cpanel.net/threads/log4j-cve-2021-44228-does-it-affect-cpanel.696249/ CommVault https://community.commvault.com/technical-q-a-2/log4j-been-used-in-commvault-1985?postid=11745#post11745 ConcreteCMS.com : https://www.concretecms.com/about/blog/security/concrete-log4j-zero-day-exploit Connect2id : https://connect2id.com/blog/connect2id-server-12-5-1 ConnectWise : https://www.connectwise.com/company/trust/advisories ContrastSecurity : https://support.contrastsecurity.com/hc/en-us/articles/4412612486548 ControlUp : https://status.controlup.com/incidents/qqyvh7b1dz8k Coralogix : https://twitter.com/Coralogix/status/1469713430659559425 CouchBase : https://forums.couchbase.com/t/ann-elasticsearch-connector-4-3-3-4-2-13-fixes-log4j-vulnerability/32402 CyberArk : https://cyberark-customers.force.com/s/article/Critical-Vulnerability-CVE-2021-44228 Cybereason : https://www.cybereason.com/blog/cybereason-solutions-are-not-impacted-by-apache-log4j-vulnerability-cve-2021-44228 Datto : https://www.datto.com/blog/dattos-response-to-log4shell Debian : https://security-tracker.debian.org/tracker/CVE-2021-44228 Dell : https://www.dell.com/support/kbdoc/fr-fr/000194372/dsn-2021-007-dell-response-to-apache-log4j-remote-code-execution-vulnerability Docker : https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/ Docusign : https://www.docusign.com/trust/alerts/alert-docusign-statement-on-the-log4j2-vulnerability DRAW.IO : https://twitter.com/drawio/status/1470061320066277382 DropWizard : https://twitter.com/dropwizardio/status/1469285337524580359 DynaTrace : https://community.dynatrace.com/t5/Dynatrace-Open-Q-A/Impact-of-log4j-zero-day-vulnerability/m-p/177259/highlight/true#M19282 Eclipse Foundation : https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#gistcomment-3992521 Elastic : https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 ESET : https://forum.eset.com/topic/30691-log4j-vulnerability/?do=findComment&comment=143745 ESRI : https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/ EVLLABS JGAAP : https://github.com/evllabs/JGAAP/releases/tag/v8.0.2 F5 Networks : https://support.f5.com/csp/article/K19026212 F-Secure https://status.f-secure.com/incidents/sk8vmr0h34pd Fastly : https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j ForcePoint : https://support.forcepoint.com/s/article/CVE-2021-44228-Java-log4j-vulnerability-mitigation-with-Forcepoint-Security-Manager Forescout : https://forescout.force.com/support/s/article/Important-security-information-related-to-Apache-Log4j-utility-CVE-2021-44228 ForgeRock : https://backstage.forgerock.com/knowledge/kb/book/b21824339 Fortinet : https://www.fortiguard.com/psirt/FG-IR-21-245 FusionAuth : https://fusionauth.io/blog/2021/12/10/log4j-fusionauth/ Genesys : https://www.genesys.com/blog/post/genesys-update-on-the-apache-log4j-vulnerability Ghidra : https://github.com/NationalSecurityAgency/ghidra/blob/2c73c72f0ba2720c6627be4005a721a5ebd64b46/README.md#warning GitHub : https://github.com/advisories/GHSA-jfh8-c2jp-5v3q GoAnywhere : https://www.goanywhere.com/cve-2021-44228-goanywhere-mitigation-steps Google Cloud Global Products coverage : https://cloud.google.com/log4j2-security-advisory Google Cloud Armor WAF : https://cloud.google.com/blog/products/identity-security/cloud-armor-waf-rule-to-help-address-apache-log4j-vulnerability GrayLog : https://www.graylog.org/post/graylog-update-for-log4j GratWiFi WARNING I can't confirm it: https://www.facebook.com/GratWiFi/posts/396447615600785 GuardedBox : https://twitter.com/GuardedBox/status/1469739834117799939 Guidewire : https://community.guidewire.com/s/article/Update-to-customers-who-have-questions-about-the-use-of-log4j-in-Guidewire-products HackerOne : https://twitter.com/jobertabma/status/1469490881854013444 HCL Software : https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486 Huawei : https://www.huawei.com/en/psirt/security-notices/huawei-sn-20211210-01-log4j2-en HostiFi : https://twitter.com/hostifi_net/status/1469511114824339464 I2P : https://geti2p.net/en/blog/post/2021/12/11/i2p-unaffected-cve-2021-44228 Ignite Realtime : https://discourse.igniterealtime.org/t/openfire-4-6-5-released/91108 Imperva : https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/ Inductive Automation : https://support.inductiveautomation.com/hc/en-us/articles/4416204541709-Regarding-CVE-2021-44228-Log4j-RCE-0-day Informatica : https://network.informatica.com/community/informatica-network/blog/2021/12/10/log4j-vulnerability-update Ivanti : https://forums.ivanti.com/s/article/CVE-2021-44228-Java-logging-library-log4j-Ivanti-Products-Impact-Mapping?language=en_US JAMF NATION : https://community.jamf.com/t5/jamf-pro/third-party-security-issue/td-p/253740 JazzSM DASH IBM : https://www.ibm.com/support/pages/node/6525552 Jenkins : https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/ JetBrains Teamcity : https://youtrack.jetbrains.com/issue/TW-74298 JFROG : https://twitter.com/jfrog/status/1469385793823199240 Jitsi : https://github.com/jitsi/security-advisories/blob/4e1ab58585a8a0593efccce77d5d0e22c5338605/advisories/JSA-2021-0004.md Kafka Connect CosmosDB : https://github.com/microsoft/kafka-connect-cosmosdb/blob/0f5d0c9dbf2812400bb480d1ff0672dfa6bb56f0/CHANGELOG.md Kaseya : https://helpdesk.kaseya.com/hc/en-gb/articles/4413449967377-Log4j2-Vulnerability-Assessment Keycloak : https://github.com/keycloak/keycloak/discussions/9078 Leanix : https://www.leanix.net/en/blog/log4j-vulnerability-log4shell LucentSKY : https://twitter.com/LucentSky/status/1469358706311974914 Lightbend : https://discuss.lightbend.com/t/regarding-the-log4j2-vulnerability-cve-2021-44228/9275 LogRhythm CISO email I can't confirmed : https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#gistcomment-3992599 Macchina io : https://twitter.com/macchina_io/status/1469611606569099269 MailCow : https://github.com/mailcow/mailcow-dockerized/issues/4375 McAfee : https://kc.mcafee.com/corporate/index?page=content&id=KB95091 Metabase : https://github.com/metabase/metabase/commit/8bfce98beb25e48830ac2bfd57432301c5e3ab37 Microsoft : https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Minecraft : https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition MISP : https://twitter.com/MISPProject/status/1470051242038673412 Mulesoft : https://help.mulesoft.com/s/article/Apache-Log4j2-vulnerability-December-2021 N-able : https://www.n-able.com/security-and-privacy/apache-log4j-vulnerability NELSON : https://github.com/getnelson/nelson/blob/f4d3dd1f1d4f8dfef02487f67aefb9c60ab48bf5/project/custom.scala NEO4J : https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j/48856 NetApp : https://security.netapp.com/advisory/ntap-20211210-0007/ Netflix : https://github.com/search?q=org%3ANetflix+CVE-2021-44228&type=commits NextGen Healthcare Mirth : https://github.com/nextgenhealthcare/connect/discussions/4892#discussioncomment-1789526 Newrelic : https://github.com/newrelic/newrelic-java-agent/issues/605 Nutanix : https://download.nutanix.com/alerts/Security_Advisory_0023.pdf Okta : https://sec.okta.com/articles/2021/12/log4shell OpenHab : https://github.com/openhab/openhab-distro/pull/1343 OpenNMS : https://www.opennms.com/en/blog/2021-12-10-opennms-products-affected-by-apache-log4j-vulnerability-cve-2021-44228/ OpenMRS TALK : https://talk.openmrs.org/t/urgent-security-advisory-2021-12-11-re-apache-log4j-2/35341 OpenSearch : https://discuss.opendistrocommunity.dev/t/log4j-patch-for-cve-2021-44228/7950 Oracle : https://www.oracle.com/security-alerts/alert-cve-2021-44228.html OxygenXML : https://www.oxygenxml.com/security/advisory/CVE-2019-17571.html Palo-Alto Networks : https://security.paloaltonetworks.com/CVE-2021-44228 PaperCut : https://www.papercut.com/support/known-issues/#PO-684 Parse.ly : https://blog.parse.ly/parse-ly-log4shell/ Pega : https://docs.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability PingIdentity : https://support.pingidentity.com/s/article/Log4j2-vulnerability-CVE-CVE-2021-44228 Positive Technologies : https://twitter.com/ptsecurity/status/1469398376978522116 Progress / IpSwitch : https://www.progress.com/security Pulse Secure : https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44933/?kA13Z000000L3dR Puppet : https://puppet.com/blog/puppet-response-to-remote-code-execution-vulnerability-cve-2021-44228/ Pure Storage : https://support.purestorage.com/Field_Bulletins/Interim_Security_Advisory_Regarding_CVE-2021-44228_(%22log4j%22) Qlik : https://community.qlik.com/t5/Support-Updates-Blog/Vulnerability-Testing-Apache-Log4j-reference-CVE-2021-44228-also/ba-p/1869368 Quest KACE : https://support.quest.com/kace-systems-management-appliance/kb/335869/is-the-kace-sma-affected-by-cve-2021-44228 Radware : https://support.radware.com/app/answers/answer_view/a_id/1029752 Red5Pro : https://www.red5pro.com/blog/red5-marked-safe-from-log4j-and-log4j2-zero-day/ RedHat : https://access.redhat.com/security/cve/cve-2021-44228 Revenera / Flexera : https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Log4j-Java-Vulnerability-CVE-2021-44228/ba-p/216905 RunDeck by PagerDuty : https://docs.rundeck.com/docs/history/CVEs/ RSA : https://community.rsa.com/t5/general-security-advisories-and/rsa-customer-advisory-apache-vulnerability-log4j2-cve-2021-44228/ta-p/660501 Rubrik : https://support.rubrik.com/s/announcementdetail?Id=a406f000001PwOcAAK SAFE FME Server : https://community.safe.com/s/article/Is-FME-Server-Affected-by-the-Security-Vulnerability-Reported-Against-log4j SailPoint : https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-log4j-Remote-Code-Execution-Vulnerability/ba-p/206681 Salesforce : https://help.salesforce.com/s/articleView?id=000363736&type=1 SAP BusinessObjects : https://launchpad.support.sap.com/#/notes/3129956 SAP Global coverage : https://launchpad.support.sap.com/#/notes/3129930 SAS : https://support.sas.com/content/support/en/security-bulletins/remote-code-execution-vulnerability-cve-2021-44228.html Security Onion : https://blog.securityonion.net/2021/12/security-onion-2390-20211210-hotfix-now.html ServiceNow : https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1000959 Sesam Info : https://twitter.com/sesam_info/status/1469711992122486791 Shibboleth : http://shibboleth.net/pipermail/announce/2021-December/000253.html Signald : https://gitlab.com/signald/signald/-/issues/259 Skillable : https://skillable.com/log4shell/ SLF4J : http://slf4j.org/log4shell.html SmileCDR : https://www.smilecdr.com/our-blog/a-statement-on-log4shell-cve-2021-44228 Software AG : https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849 SolarWinds : https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228 SonarSource : https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721 Sonatype : https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild SonicWall : https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 Sophos : https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce Splunk : https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html Spring Boot : https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot SUSE : https://www.suse.com/security/cve/CVE-2021-44228.html Sterling Order IBM : https://www.ibm.com/support/pages/node/6525544 Swingset : https://github.com/bpangburn/swingset/blob/017452b2d0d8370871f43a68043dacf53af7f759/swingset/CHANGELOG.txt#L10 Synopsys : https://community.synopsys.com/s/article/SIG-Security-Advisory-for-Apache-Log4J2-CVE-2021-44228 Talend : https://jira.talendforge.org/browse/TCOMP-2054 TealiumIQ : https://community.tealiumiq.com/t5/Announcements-Blog/Update-on-Log4j-Security-Vulnerability/ba-p/36824 TrendMicro : https://success.trendmicro.com/solution/000289940 Ubiquiti-UniFi-UI : https://community.ui.com/releases/UniFi-Network-Application-6-5-54/d717f241-48bb-4979-8b10-99db36ddabe1 Ubuntu : https://ubuntu.com/security/CVE-2021-44228 USSIGNAL MSP : https://ussignal.com/blog/apache-log4j-vulnerability Varonis : https://help.varonis.com/s/article/Apache-Log4j-Zero-Day-Vulnerability-CVE-2021-44228 Veeam : https://forums.veeam.com/veeam-backup-for-azure-f59/log4j-cve-2021-44228-vulnerability-t78225.html#p438231 Vespa ENGINE : https://github.com/vespa-engine/blog/blob/f281ce4399ed3e97b4fed32fcc36f9ba4b17b1e2/_posts/2021-12-10-log4j-vulnerability.md VMware : https://www.vmware.com/security/advisories/VMSA-2021-0028.html Wallarm : https://lab.wallarm.com/cve-2021-44228-mitigation-update/ WatchGuard / Secplicity / https://www.secplicity.org/2021/12/10/critical-rce-vulnerability-in-log4js/ WitFoo : https://www.witfoo.com/blog/emergency-update-for-cve-2021-44228-log4j/ Wowza : https://www.wowza.com/docs/known-issues-with-wowza-streaming-engine#log4j2-cve WSO2 : https://github.com/wso2/security-tools/pull/169 XCP-ng : https://xcp-ng.org/forum/topic/5315/log4j-vulnerability-impact Yandex-Cloud : https://github.com/yandex-cloud/docs/blob/6ff6c676787756e7dd6101c53b051e4cd04b3e85/ru/overview/security-bulletins/index.md#10122021--cve-2021-44228--%D1%83%D0%B4%D0%B0%D0%BB%D0%B5%D0%BD%D0%BD%D0%BE%D0%B5-%D0%B2%D1%8B%D0%BF%D0%BE%D0%BB%D0%BD%D0%B5%D0%BD%D0%B8%D0%B5-%D0%BA%D0%BE%D0%B4%D0%B0-log4shell-apache-log4j ZAMMAD : https://community.zammad.org/t/cve-2021-44228-elasticsearch-users-be-aware/8256 Zaproxy : https://www.zaproxy.org/blog/2021-12-10-zap-and-log4shell/ Zerto : https://help.zerto.com/kb/000004822 Zesty : https://www.zesty.io/mindshare/company-announcements/log4j-exploit/ ZSCALER : https://www.zscaler.fr/blogs/security-research/security-advisory-log4j-0-day-remote-code-execution-vulnerability-cve-2021 Top comments (0) Subscribe Personal Trusted User Create template Templates let you quickly answer FAQs or store snippets for re-use. Submit Preview Dismiss Code of Conduct • Report abuse Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well Confirm For further actions, you may consider blocking this person and/or reporting abuse
Top comments (0)