The Apache Software Foundation has released a security advisory to address a Remote Code Execution vulnerability (CVE-2021-44228, CVE-2021-45046 & CVE-2021-44832) & Denial of Service (CVE-2021-45105) being actively exploited in the wild. A remote attacker could exploit these vulnerabilities to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. System administrator should take remediation immediately.
Apache Log4j versions between 2 and 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. Attacker who can control log messages or log message parameters can
However, Apache Log4j 2.15.0 was incomplete in certain non-default configurations. It could allow attackers with
Another finding in Apache Log4j2 versions 2.0-beta7 through 2.17.0 which are vulnerable to a remote code execution (RCE) attack where:
It was found that Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. This could
(1) Products confirmed affected:
|Products||Affected Systems||Hotfix status||Remediation||Reference|
|Apache||All Apache Log4j Java Library versions from 2.0-alpha1 to 2.17.0.||Log4j 2.17.1 is ready||Upgrade to Log4j 2.17.1 or apply the recommended mitigations immediately.||https://logging.apache.org/log4j/2.x/security.html|
|Java||JDK versions lower than 6u211, 7u201, 8u191, and 11.0.1.||For Java 8 or later: Log4j to 2.17.1 is ready||Java 8 (or later) should upgrade to release 2.17.1.||https://www.oracle.com/java/technologies/javase/products-doc-8u121-revision-builds-relnotes.html
|For Java 7: Log4j 2.12.4 is ready||Java 7 should upgrade to release 2.12.4.|
|For Java 6: Log4j 2.3.2 is ready||Java 6 should upgrade to release 2.3.2.|
|Palo Alto||PAN-OS 9.0, PAN-OS 9.1, and PAN-OS 10.0 versions for Panorama
This issue is only applicable to Panorama hardware and virtual appliances that have run in Panorama Mode or Log Collector Mode as part of a Collector Group. You can determine if the Panorama is part of a Collector Group by visiting ‘Panorama > Managed Collectors’ from the web interface.
|Fixes in PAN-OS 9.0.15, PAN-OS 9.1.12-h3, PAN-OS 10.0.8-h8 are available.||Please apply the fix immediately.
If Panorama is running an impacted version of PAN-OS, and you are able to upgrade to PAN-OS 10.1, upgrade all appliances in affected Collector Groups to the latest PAN-OS 10.1 Preferred release (PAN-OS 10.1.3-h1 at time of publication) to remediate these issues.
NOTE: Downgrading to PAN-OS 10.0 or earlier PAN-OS versions is not currently supported once Panorama is upgraded to PAN-OS 10.1.
|Palo Alto Networks Security Advisories:|
|IBM SPSS||SPSS Statistics 24.0 or earlier: these versions are End of Service and are no longer supported.||Not available as end of support.||Please upgrade to a supported release, i.e. 25.0 or later.||Please contact ITSC Service Desk in getting the fixes.|
|SPSS Statistics 25.0 and later||Fixes for 25.0 and later are available.||Please apply fixes immediately.|
|IBM WebSphere||WebSphere Application Server Liberty Continuous delivery||Fix Pack 188.8.131.52 is in development||Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH42762 first.
Apply Fix Pack when they are available.
|WebSphere Application Server versions 9.0||Fix Pack 184.108.40.206 is in development|
|WebSphere Application Server versions 8.5||Fix Pack 220.127.116.11 is in development|
|WebSphere Application Server versions 8.0||Fix Pack 18.104.22.168 is in development|
|WebSphere Application Server versions 7.0||Fix Pack 22.214.171.124 is in development|
|VMware||Multiple products||Fixes for some product are available||Please apply fixes immediately.||https://www.vmware.com/security/advisories/VMSA-2021-0028.html|
|Some products which still pending for patches||Please implement related ‘Workarounds’ first.|
|RedHat||Some of the Openshift and JBoss packages||Security errata for most affected platforms are released||Please apply the errata immediately.||https://access.redhat.com/security/cve/cve-2021-44228|
|Microsoft||Multiple products||Security Update for some products are available in Security Update Guide||Please implement the updates immediately.||Microsoft’s Response to CVE-2021-44228 Apache Log4j 2
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/CVE-2021-44228 – Security Update Guide – Microsoft – Apache Log4j Remote Code Execution Vulnerability
|Some products which still pending for update patch||Please refer to related ‘Additional Information’ link in their Security Update Guide.|
|Citrix||Multiple products||Update patches are available||Please apply related latest patch as soon as possible||https://support.citrix.com/article/CTX335705|
(2) Products still under evaluation:
(3) Products which can detect the vulnerability:
|Microsoft||Microsoft Defender and other MS security solutions||Guidance for preventing detecting and hunting for CVE-2021-44228 log4j2 exploitation
|Kaspersky||Kaspersky Endpoint Security for Business||Kaspersky products protect against attacks leveraging the vulnerability under the following names:
|Palo Alto||Applications and Threats Content version 8502 released||Vulnerability Signatures ID: 91994, 91995, 92001|
|Fortinet||Fortigate|| Log4j2 Vulnerability | FortiGuard (https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability)
Fortinet has additional research relating to Log4j. This blog discusses the vulnerability, what protections Fortinet has in place to protect our customers, and the work being done to ensure that Fortinet products are not susceptible to this vulnerability. This Threat Signal provides answers to some additional questions surrounding the vulnerability.
Published on: 11 Dec 2021
Last update on: 30 Dec 2021
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|