From 52f9068773b99d6d1b95ba7dedb239639d976660 Mon Sep 17 00:00:00 2001 From: dawnpm Date: Tue, 21 Dec 2021 17:57:17 -0500 Subject: [PATCH 01/47] Add missing solutions * Apache2 * Resque * Amazon: Athena CloudFront CloudWatch EBS ElastiCache ELB Glacier IAM KMS OpsWorks Stacks RDS Route 53 S3 VPC --- SOFTWARE-LIST.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index feec338..0e9e4c9 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -52,12 +52,27 @@ This list was initially populated using information from the following sources: | Alfresco | | | | | [Alfresco Blog Post](https://hub.alfresco.com/t5/alfresco-content-services-blog/cve-2021-44228-related-to-apache-log4j-security-advisory/ba-p/310717) | | | | | AlienVault | | | | | [AlienVault Article Link](https://success.alienvault.com/s/article/are-USM-Anywhere-or-USM-Central-vulnerable-to-CVE-2021-44228) | | | | | Alphatron Medical | | | | | [Alphatron Medical Website](https://www.alphatronmedical.com/home.html) | | | | +| Amazon | Athena | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | | Amazon | AWS | Linux 1,2 | Not Affected | No | | Notes: Amazon Linux 1 had aws apitools which were Java based but these were deprecated in 2015 [AWS Forum](https://forums.aws.amazon.com/thread.jspa?threadID=323611). AMIs used to inspect and verify (base spin ups) - amzn-ami-hvm-2018.03.0.20200318.1-x86_64-gp2 and amzn2-ami-kernel-5.10-hvm-2.0.20211201.0-x86_64-gp2 | | 12/15/2021 | | Amazon | AWS API Gateway | All | Fixed | | [Amazon AWS Link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | 12/20/2021 | +| Amazon | CloudFront | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | | Amazon | AWS CloudHSM | < 3.4.1. | Affected | | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-005/) | | | | -| Amazon | AWS Lambda | Unknown | Affected | Yes | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-005/) | | | | +| Amazon | CloudWatch | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | +| Amazon | EBS | | | | | | | | | Amazon | EC2 | Amazon Linux 1 & 2 | Not Affected | | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | 12/15/2021 | +| Amazon | ElastiCache | | Not Affected | | | | | | +| Amazon | ELB | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | +| Amazon | AWS Lambda | Unknown | Affected | Yes | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-005/) | | | | +| Amazon | Glacier | | | | | | | | +| Amazon | IAM | | | | | | | | +| Amazon | KMS | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | | Amazon | OpenSearch | Unknown | Affected | Yes [(R20211203-P2)](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-005/) | | | | +| Amazon | OpsWorks Stacks | | | | | | | | +| Amazon | RDS | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | +| Amazon | Route 53 | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | +| Amazon | S3 | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | +| Amazon | VPC | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | +| Apache | Apache2 | | | | | | | | | Apache | Camel | 3.14.1.3.11.5,3.7.7 | Affected | Yes | [APACHE CAMEL AND CVE-2021-44228 (LOG4J)](https://camel.apache.org/blog/2021/12/log4j2/)| Apache Camel does not directly depend on Log4j 2, so we are not affected by CVE-2021-44228.If you explicitly added the Log4j 2 dependency to your own applications, make sure to upgrade.Apache Camel does use log4j during testing itself, and therefore you can find that we have been using log4j v2.13.3 release in our latest LTS releases Camel 3.7.6, 3.11.4. | | 12/13/2021 | | Apache | Camel Quarkus | | Not Affected | No | [APACHE CAMEL AND CVE-2021-44228 (LOG4J)](https://camel.apache.org/blog/2021/12/log4j2/) | | | 12/13/2021 | | Apache | Camel K | | Not Affected | No | [APACHE CAMEL AND CVE-2021-44228 (LOG4J)](https://camel.apache.org/blog/2021/12/log4j2/) | | | 12/13/2021 | @@ -1902,6 +1917,7 @@ This list was initially populated using information from the following sources: | Reiner SCT | | | | | [Reiner SCT Forum](https://forum.reiner-sct.com/index.php?/topic/5973-timecard-und-log4j-schwachstelle/&do=findComment&comment=14933) | | | | | ReportURI | | | | | [ReportURI Link](https://scotthelme.co.uk/responding-to-the-log4j-2-vulnerability/) | | | | | Respondus | | | | | [Respondus Support Link](https://support.respondus.com/support/index.php?/News/NewsItem/View/339) |This advisory is available to customers only and has not been reviewed by CISA | | | +| Resque | Resque | | | | | | | | | Revenera / Flexera | | | | | [Revenera / Flexera Community Link](https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Log4j-Java-Vulnerability-CVE-2021-44228/ba-p/216905) | | | | | Ricoh | | | | | [Ricoh Link](https://www.ricoh.com/info/2021/1215_1/) | | | | | RingCentral | | | | | [RingCentral Security Bulletin](https://www.ringcentral.com/trust-center/security-bulletin.html) | | | | From c92ba2ea0f0905767780688e1d0997f43feb311e Mon Sep 17 00:00:00 2001 From: Dan Ivovich Date: Wed, 22 Dec 2021 07:57:19 -0500 Subject: [PATCH 02/47] Add S3, Circle, and Cloud.gov --- SOFTWARE-LIST.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 8a41688..e0033c4 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -58,6 +58,7 @@ This list was initially populated using information from the following sources: | Amazon | AWS Lambda | Unknown | Affected | Yes | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-005/) | | | | | Amazon | EC2 | Amazon Linux 1 & 2 | Not Affected | | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | 12/15/2021 | | Amazon | OpenSearch | Unknown | Affected | Yes [(R20211203-P2)](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-005/) | | | | +| Amazon | S3 | | Fixed | | [Update for Apache Log4j2](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | 12/21/2021 | | Apache | ActiveMQ Artemis | All | Not Affected | Yes | [ApacheMQ - Update on CVE-2021-4428](https://activemq.apache.org/news/cve-2021-44228) | ActiveMQ Artemis does not use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. [web/console.war/WEB-INF/lib](web/console.war/WEB-INF/lib)). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive. See [ARTEMIS-3612](https://issues.apache.org/jira/browse/ARTEMIS-3612) for more information on that task. | | 12/21/2021 | | Apache | Camel | 3.14.1.3.11.5,3.7.7 | Affected | Yes | [APACHE CAMEL AND CVE-2021-44228 (LOG4J)](https://camel.apache.org/blog/2021/12/log4j2/)| Apache Camel does not directly depend on Log4j 2, so we are not affected by CVE-2021-44228.If you explicitly added the Log4j 2 dependency to your own applications, make sure to upgrade.Apache Camel does use log4j during testing itself, and therefore you can find that we have been using log4j v2.13.3 release in our latest LTS releases Camel 3.7.6, 3.11.4. | | 12/13/2021 | | Apache | Camel Quarkus | | Not Affected | No | [APACHE CAMEL AND CVE-2021-44228 (LOG4J)](https://camel.apache.org/blog/2021/12/log4j2/) | | | 12/13/2021 | @@ -300,6 +301,7 @@ This list was initially populated using information from the following sources: | Check Point | ThreatCloud | | Not Affected | | | | | | | CheckMK | | | | | [CheckMK Forum](https://forum.checkmk.com/t/checkmk-not-affected-by-log4shell/28643/3) | | | | | Ciphermail | | | | | [Ciphermail Blog Post](https://www.ciphermail.com/blog/ciphermail-gateway-and-webmail-messenger-are-not-vulnerable-to-cve-2021-44228.html) | | | | +| CircleCI | CircleCI | | Not affected | | [CircleCI / Log4j Information CVE-2021-44228](https://discuss.circleci.com/t/circleci-log4j-information-cve-2021-4422) | | | 12/21/2021 | | CIS | | | | | [CIS Customer Portal](https://cisecurity.atlassian.net/servicedesk/customer/portal/15/article/2434301961) | | | | | Cisco | AppDynamics | | Affected | Yes | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | | | Cisco | Cisco Common Services Platform Collector | | Under Investigation | | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | | @@ -1007,6 +1009,7 @@ This list was initially populated using information from the following sources: | Gravwell | | | | | [Gravwell Statement](https://www.gravwell.io/blog/cve-2021-44228-log4j-does-not-impact-gravwell-products) | | | | | Graylog | Graylog Server | All versions >= 1.2.0 and <= 4.2.2 | Affected | Yes | [Graylog Update for Log4j](https://www.graylog.org/post/graylog-update-for-log4j) | | | | | GreenShot | | | | | [GreenShot Statement](https://greenshot.atlassian.net/browse/BUG-2871) | | | | +| GSA | Cloud.gov | | Fixed | | [Log4j Customer responsibility](https://cloud.gov/2021/12/14/log4j-buildpack-updates/) | | | 12/21/2021 | | Guidewire | | | | | [Guidewire Statement](https://community.guidewire.com/s/article/Update-to-customers-who-have-questions-about-the-use-of-log4j-in-Guidewire-products) | | | | | HAProxy | | | | | [HAProxy Statement](https://www.haproxy.com/blog/december-2021-log4shell-mitigation/) | | | | | HarmanPro AMX | | | | | [HarmanPro AMX Statement](https://help.harmanpro.com/apache-log4j-vulnerability) | | | | From 0f70101a3de86ad77f48d24fa4c87df94fc786b8 Mon Sep 17 00:00:00 2001 From: Juliann Phelps <42777616+juliannphelpsGSA@users.noreply.github.com> Date: Wed, 22 Dec 2021 10:43:59 -0500 Subject: [PATCH 03/47] Update SOFTWARE-LIST.md Adding UiPath to software list --- SOFTWARE-LIST.md | 39 +-------------------------------------- 1 file changed, 1 insertion(+), 38 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 23396dc..1539ec2 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -1790,9 +1790,6 @@ This list was initially populated using information from the following sources: | Pexip | | | | | [Pexip Link](https://www.pexip.com/blog1.0/pexip-statement-on-log4j-vulnerability) | | | | | Phenix Id | | | | | [Phenix Id Support Link](https://support.phenixid.se/uncategorized/log4j-fix/) | | | | | Philips | Multiple products | | | | [Philips Security Advisory](https://www.philips.com/a-w/security/security-advisories.html) | | | | -| PHOENIX CONTACT | Physical products containing firmware | | Not Affected | | [PHOENIX CONTACT Advisory Link](https://dam-mdc.phoenixcontact.com/asset/156443151564/1a0f6db6bbc86540bfe4f05fd65877f4/Vulnerability_Statement_Log4J_20211215.pdf) | | | 12/22/2021 | -| PHOENIX CONTACT | Software Products | | Not Affected | | [PHOENIX CONTACT Advisory Link](https://dam-mdc.phoenixcontact.com/asset/156443151564/1a0f6db6bbc86540bfe4f05fd65877f4/Vulnerability_Statement_Log4J_20211215.pdf) | | | 12/22/2021 | -| PHOENIX CONTACT | Cloud Services | | Affected | | [PHOENIX CONTACT Advisory Link](https://dam-mdc.phoenixcontact.com/asset/156443151564/1a0f6db6bbc86540bfe4f05fd65877f4/Vulnerability_Statement_Log4J_20211215.pdf) | Partly affected. Remediations are being implemented. | | 12/22/2021 | | Ping Identity | PingAccess | 4.0 <= version <= 6.3.2 | Affected | Yes | [Log4j2 vulnerability CVE-2021-44228](https://support.pingidentity.com/s/article/Log4j2-vulnerability-CVE-CVE-2021-44228) | | | 2021-12-15 | | Ping Identity | PingCentral | | Affected | Yes | [Log4j2 vulnerability CVE-2021-44228](https://support.pingidentity.com/s/article/Log4j2-vulnerability-CVE-CVE-2021-44228) | | | 2021-12-15 | | Ping Identity | PingFederate | 8.0 <= version <= 10.3.4 | Affected | Yes | [Log4j2 vulnerability CVE-2021-44228](https://support.pingidentity.com/s/article/Log4j2-vulnerability-CVE-CVE-2021-44228) | | | 2021-12-15 | @@ -2102,40 +2099,6 @@ This list was initially populated using information from the following sources: | Siemens | VeSys | All Versions >=2019.1 SP1912 only if Teamcenter integration feature is used |Affected | No|[Siemens Advisory - SSA-661257: Apache Log4j Vulnerabilities](https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf)| Currently no remediation is available. Find detailed mitigation steps [here](https://support.sw.siemens.com/en-US/knowledgebase/MG618363). See further recommendations from [Siemens Advisory SSA-661257](https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf)| |12/18/2021 | | Siemens | Xpedition Enterprise | All Versions >=VX.2.6 | Affected | No| [Siemens Advisory - SSA-661257: Apache Log4j Vulnerabilities](https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf) |Currently no remediation is available. Find detailed mitigation steps [here](https://support.sw.siemens.com/en-US/knowledge-base/MG618343). See further recommendations from [Siemens Advisory SSA-661257](https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf) | | 12/18/2021 | | Siemens | Xpedition IC Packaging | All Versions >=VX.2.6 | Affected | No| [Siemens Advisory - SSA-661257: Apache Log4j Vulnerabilities](https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf) |Currently no remediation is available. Find detailed mitigation steps [here](https://support.sw.siemens.com/en-US/knowledge-base/MG618343). See further recommendations from [Siemens Advisory SSA-661257](https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf).| |12/18/2021 | -| Siemens Healthineers | ATELLICA DATA MANAGER v1.1.1 / v1.2.1 / v1.3.1 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | If you have determined that your Atellica Data Manager has a “Java communication engine” service, and you require an immediate mitigation, then please contact your Siemens Customer Care Center or your local Siemens technical support representative. | | 12/22/2021 | -| Siemens Healthineers | CENTRALINK v16.0.2 / v16.0.3 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | If you have determined that your CentraLink has a “Java communication engine” service, and you require a mitigation, then please contact your Siemens Customer Care Center or your local Siemens technical support representative. | | 12/22/2021 | -| Siemens Healthineers | DICOM Proxy VB10A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: remove the vulnerable class from the .jar file | | 12/22/2021 | -| Siemens Healthineers | Somatom Scope Som5 VC50 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | evaluation ongoing | | 12/22/2021 | -| Siemens Healthineers | Somatom Emotion Som5 VC50 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | evaluation ongoing | | 12/22/2021 | -| Siemens Healthineers | go.All, Som10 VA20 / VA30 / VA40 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: In the meantime, we recommend preventing access to port 8090 from other devices by configuration of the hospital network. | | 12/22/2021 | -| Siemens Healthineers | go.Fit, Som10 VA30 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: In the meantime, we recommend preventing access to port 8090 from other devices by configuration of the hospital network. | | 12/22/2021 | -| Siemens Healthineers | go.Now, Som10 VA10 / VA20 / VA30 / VA40 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: In the meantime, we recommend preventing access to port 8090 from other devices by configuration of the hospital network. | | 12/22/2021 | -| Siemens Healthineers | go.Open Pro, Som10 VA30 / VA40 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: In the meantime, we recommend preventing access to port 8090 from other devices by configuration of the hospital network. | | 12/22/2021 | -| Siemens Healthineers | go.Sim, Som10 VA30 / VA40 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: In the meantime, we recommend preventing access to port 8090 from other devices by configuration of the hospital network. | | 12/22/2021 | -| Siemens Healthineers | go.Top, Som10 VA20 / VA20A_SP5 / VA30 / VA40 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: In the meantime, we recommend preventing access to port 8090 from other devices by configuration of the hospital network. | | 12/22/2021 | -| Siemens Healthineers | go.Up, Som10 VA10 / VA20 / VA30 / VA40 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: In the meantime, we recommend preventing access to port 8090 from other devices by configuration of the hospital network. | | 12/22/2021 | -| Siemens Healthineers | MAGNETOM AERA 1,5T, MAGNETOM PRISMA, MAGNETOM PRISMA FIT, MAGNETOM SKYRA 3T NUMARIS/X VA30A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | LOG4J is used in the context of the help system. Workaround: close port 8090 for standalone systems. Setup IP whitelisting for "need to access" systems to network port 8090 in case a second console is connected. | | 12/22/2021 | -| Siemens Healthineers | MAGNETOM Altea NUMARIS/X VA20A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | LOG4J is used in the context of the help system. Workaround: close port 8090 for standalone systems. Setup IP whitelisting for "need to access" systems to network port 8090 in case a second console is connected. | | 12/22/2021 | -| Siemens Healthineers | MAGNETOM ALTEA, MAGNETOM LUMINA, MAGNETOM SOLA, MAGNETOM VIDA NUMARIS/X VA31A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | LOG4J is used in the context of the help system. Workaround: close port 8090 for standalone systems. Setup IP whitelisting for "need to access" systems to network port 8090 in case a second console is connected. | | 12/22/2021 | -| Siemens Healthineers | MAGNETOM Amira NUMARIS/X VA12M | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | LOG4J is used in the context of the help system. Workaround: close port 8090 for standalone systems. Setup IP whitelisting for "need to access" systems to network port 8090 in case a second console is connected. | | 12/22/2021 | -| Siemens Healthineers | MAGNETOM Free.Max NUMARIS/X VA40 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | LOG4J is used in the context of the help system. Workaround: close port 8090 for standalone systems. Setup IP whitelisting for "need to access" systems to network port 8090 in case a second console is connected. | | 12/22/2021 | -| Siemens Healthineers | MAGNETOM Lumina NUMARIS/X VA20A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | LOG4J is used in the context of the help system. Workaround: close port 8090 for standalone systems. Setup IP whitelisting for "need to access" systems to network port 8090 in case a second console is connected. | | 12/22/2021 | -| Siemens Healthineers | MAGNETOM Sempra NUMARIS/X VA12M | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | LOG4J is used in the context of the help system. Workaround: close port 8090 for standalone systems. Setup IP whitelisting for "need to access" systems to network port 8090 in case a second console is connected. | | 12/22/2021 | -| Siemens Healthineers | MAGNETOM Sola fit NUMARIS/X VA20A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | LOG4J is used in the context of the help system. Workaround: close port 8090 for standalone systems. Setup IP whitelisting for "need to access" systems to network port 8090 in case a second console is connected. | | 12/22/2021 | -| Siemens Healthineers | MAGNETOM Sola NUMARIS/X VA20A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | LOG4J is used in the context of the help system. Workaround: close port 8090 for standalone systems. Setup IP whitelisting for "need to access" systems to network port 8090 in case a second console is connected. | | 12/22/2021 | -| Siemens Healthineers | MAGNETOM Vida fit NUMARIS/X VA20A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | LOG4J is used in the context of the help system. Workaround: close port 8090 for standalone systems. Setup IP whitelisting for "need to access" systems to network port 8090 in case a second console is connected. | | 12/22/2021 | -| Siemens Healthineers | MAGNETOM Vida NUMARIS/X VA10A* / VA20A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | LOG4J is used in the context of the help system. Workaround: close port 8090 for standalone systems. Setup IP whitelisting for "need to access" systems to network port 8090 in case a second console is connected. | | 12/22/2021 | -| Siemens Healthineers | Syngo Carbon Space VA10A / VA10A-CUT2 / VA20A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: remove the vulnerable class from the .jar file | | 12/22/2021 | -| Siemens Healthineers | Syngo MobileViewer VA10A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | The vulnerability will be patch/mitigated in upcoming releases\patches. | | 12/22/2021 | -| Siemens Healthineers | syngo Plaza VB20A / VB20A_HF01 - HF07 / VB30A / VB30A_HF01 / VB30A_HF02 / VB30B / VB30C / VB30C_HF01 - HF06 / VB30C_HF91 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: remove the vulnerable class from the .jar file | | 12/22/2021 | -| Siemens Healthineers | syngo Workflow MLR VB37A / VB37A_HF01 / VB37A_HF02 / VB37B / VB37B_HF01 - HF07 / VB37B_HF93 / VB37B_HF94 / VB37B_HF96 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Please contact your Customer Service to get support on mitigating the vulnerability. | | 12/22/2021 | -| Siemens Healthineers | syngo.via VB20A / VB20A_HF01 - HF08 / VB20A_HF91 / VB20B / VB30A / VB30A_HF01 - VB30A_HF08 / VB30A_HF91VB30B / VB30B_HF01 / VB40A / VB40A_HF01 - HF02 /VB40B / VB40B_HF01 - HF05 / VB50A / VB50A_CUT / VB50A_D4VB50B / VB50B_HF01 - HF03 / VB60A / VB60A_CUT / VB60A_D4 / VB60A_HF01 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: remove the vulnerable class from the .jar file | | 12/22/2021 | -| Siemens Healthineers | SENSIS DMCC / DMCM / TS / VM / PPWS / DS VD12A | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | evaluation ongoing | | 12/22/2021 | -| Siemens Healthineers | Cios Select FD/I.I. VA21 / VA21-S3P | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | evaluation ongoing | | 12/22/2021 | -| Siemens Healthineers | Cios Flow S1 / Alpha / Spin VA30 | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | evaluation ongoing | | 12/22/2021 | -| Siemens Healthineers | syngo.via WebViewer VA13B / VA20A / VA20B | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: remove the vulnerable class from the .jar file | | 12/22/2021 | -| Siemens Healthineers | X.Ceed Somaris 10 VA40* | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: In the meantime, we recommend preventing access to port 8090 from other devices by configuration of the hospital network. | | 12/22/2021 | -| Siemens Healthineers | X.Cite Somaris 10 VA30*/VA40* | | Affected | See Notes | [Siemens Healthineers](https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/cve-2021-44228) | Workaround: In the meantime, we recommend preventing access to port 8090 from other devices by configuration of the hospital network. | | 12/22/2021 | | Sierra Wireless | | | | | [Sierra Wireless Security Bulletin](https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2021-007/) | | | | | Signald | | | | | [Signald Gitlab](https://gitlab.com/signald/signald/-/issues/259) | | | | | Silver Peak | Orchestrator, Silver Peak GMS | | Affected | No | [Security Advisory Notice Apache](https://www.arubanetworks.com/website/techdocs/sdwan/docs/advisories/media/security_advisory_notice_apache_log4j2_cve_2021_44228.pdf) | Customer managed Orchestrator and legacy GMS products are affected by this vulnerability. This includes on-premise and customer managed instances running in public cloud services such as AWS, Azure, Google, or Oracle Cloud. See Corrective Action Required for details about how to mitigate this exploit. | | 12/14/2021 | @@ -2300,7 +2263,6 @@ This list was initially populated using information from the following sources: | Thales | Sentinel Professional Services components (both Thales hosted & hosted on-premises by customers) | | Affected | | [Thales Support](https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=12acaed3dbd841105d310573f3961953&sysparm_article=KB0025297) | | | 12/17/2021 | | Thales | Sentinel SCL | | Affected | | [Thales Support](https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=12acaed3dbd841105d310573f3961953&sysparm_article=KB0025297) | | | 12/17/2021 | | Thales | Thales Data Platform (TDP)(DDC) | | Affected | | [Thales Support](https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=12acaed3dbd841105d310573f3961953&sysparm_article=KB0025297) | | | 12/17/2021 | -| Thermo Fisher Scientific | | | Unknown | | [Thermo Fisher Scientific Advisory Link](https://corporate.thermofisher.com/us/en/index/about/information-security/Protecting-Our-Products.html) | | | 12/22/2021 | | Thomson Reuters | HighQ Appliance | <3.5 | Affected | Yes | [https://highqsolutions.zendesk.com](https://highqsolutions.zendesk.com) | Reported by vendor - Documentation is in vendor's client portal (login required). This advisory is available to customer only and has not been reviewed by CISA. | | 12/20/2021 | | ThreatLocker | | | | | [ThreatLocker Log4j Statement](https://threatlocker.kb.help/log4j-vulnerability/) | | | | | ThycoticCentrify | Secret Server | N/A | Not Affected | | [ThycoticCentrify Products NOT Affected by CVE-2021-44228 Exploit](https://docs.thycotic.com/bulletins/current/2021/cve-2021-44228-exploit.md) | | | 12/10/15 | @@ -2331,6 +2293,7 @@ This list was initially populated using information from the following sources: | UniFlow | | | | | [UniFlow Security Advisory](https://www.uniflow.global/en/security/security-and-maintenance/) | | | | | Unify ATOS | | | | | [Unify ATOS Advisory](https://networks.unify.com/security/advisories/OBSO-2112-01.pdf) | | | | | Unimus | | | | | [Unimus Statement](https://forum.unimus.net/viewtopic.php?f=7&t=1390#top) | | | | +| UiPath |InSights|20.10|Affected|Yes| [UiPath Statement](https://www.uipath.com/legal/trust-and-security/cve-2021-44228) | | | | | USSIGNAL MSP | | | | | [USSIGNAL MSP Statement](https://ussignal.com/blog/apache-log4j-vulnerability) | | | | | VArmour | | | | | [VArmour Statement](https://support.varmour.com/hc/en-us/articles/4416396248717-Log4j2-Emergency-Configuration-Change-for-Critical-Auth-Free-Code-Execution-in-Logging-Utility) | | | | | Varnish Software | | | | | [Varnish Software Security Notice](https://docs.varnish-software.com/security/CVE-2021-44228-45046/) | | | | From 707ce3a6522916f6d1ebdfd8a2c892e1db735132 Mon Sep 17 00:00:00 2001 From: Rick van Galen <1130569+DCKcode@users.noreply.github.com> Date: Thu, 23 Dec 2021 14:33:27 -0500 Subject: [PATCH 04/47] Use official statement for 1Password --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 7d3fb15..63bd4ea 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -19,7 +19,7 @@ This list was initially populated using information from the following sources: | Vendor | Product | Version(s) | Status | Update Available | Vendor Link | Notes | Other References | Last Updated | | ------ | ------- | ---------- | ------ | ---------------- | ----------- | ----- | ---------------- | ------------ | -| 1Password | 1Password | | Not affected | | [1Password public response on Reddit](https://www.reddit.com/r/1Password/comments/rea7dd/comment/hoe41ci) | | | 12/20/2021 | +| 1Password | All products | | Not affected | | [1Password statement](https://support.1password.com/kb/202112/) | | | 12/23/2021 | | 2n | | | | | [2n Advisory Link](https://www.2n.com/cs_CZ/novinky/produkty-2n-neohrozuje-zranitelnost-cve-2021-44228-komponenty-log4j-2) | | | | | 3CX | | | | | [3CX Community Thread Link](https://www.3cx.com/community/threads/log4j-vulnerability-cve-2021-44228.86436/#post-407911) | | | | | 3M Health Information Systems | CGS | | Affected | Unknown |[CGS: Log4j Software Update(login required)](https://support.3mhis.com/app/account/updates/ri/5210) | This advisory is available to customer only and has not been reviewed by CISA. | | 12/15/2021 | From 041438752c4281806a4899d1effa845690e6165a Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:08:04 -0500 Subject: [PATCH 05/47] Add CISA rec mitigation measures --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 09cda7d..e98353c 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,8 @@ or imply their endorsement, recommendation, or favoring by CISA. ## Official CISA Guidance & Resources ## - [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) -- [ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a) +- [CISA ED 22-02: Apache Log4j Recommended Mitigation Measures](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures) +- [CISA ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a) - [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02) - [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability). @@ -35,17 +36,16 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd. ## Mitigation Guidance ## -CISA urges organizations operating products marked as "Fixed" to immediately -implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance). +When updates are available, agencies must update software using Log4j to the newest version, which is the most effective and manageable long-term option. Where updating is not possible, the following mitigating measures can be considered as a temporary solution and apply to the entire solution stack. -CISA urges organizations operating products marked as "Not Fixed" to immediately -implement alternate controls, including: +- Disable Log4j library. Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues. +- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve developer work and could impact functionality. +- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks. +- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network. +- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts. +- Apply micropatch. There are several micropatches available. They are not a part of the official update but may limit agency risk. -- Install a WAF with rules that automatically update. -- Set `log4j2.formatMsgNoLookups` to true by adding `-Dlog4j2.formatMsgNoLookups=True` - to the Java Virtual Machine command for starting your application. -- Ensure that any alerts from a vulnerable device are immediately actioned. -- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report). +For more information regarding CISA recommended mitigation measures please visit [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures). ## Software List ## From b38a94f1acb239af3c393c7aeb91021f99f9e25f Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:10:42 -0500 Subject: [PATCH 06/47] Add CISA rec mitigation guidance --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e98353c..740ba3c 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ When updates are available, agencies must update software using Log4j to the new - Disable Log4j library. Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues. - Disable JNDI lookups or disable remote codebases. This option, while effective, may involve developer work and could impact functionality. -- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks. +- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks. - Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network. - Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts. - Apply micropatch. There are several micropatches available. They are not a part of the official update but may limit agency risk. From a5265aee3c2bccedf1a9bb1a2359ca83a020d4f2 Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:13:02 -0500 Subject: [PATCH 07/47] Add CISA rec mitigation guidance --- README.md | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 740ba3c..c9ea2ef 100644 --- a/README.md +++ b/README.md @@ -36,16 +36,29 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd. ## Mitigation Guidance ## -When updates are available, agencies must update software using Log4j to the newest version, which is the most effective and manageable long-term option. Where updating is not possible, the following mitigating measures can be considered as a temporary solution and apply to the entire solution stack. +When updates are available, agencies must update software using Log4j to the newest version, +which is the most effective and manageable long-term option. Where updating is not possible, +the following mitigating measures can be considered as a temporary solution and apply to the +entire solution stack. -- Disable Log4j library. Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues. -- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve developer work and could impact functionality. -- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks. -- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network. -- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts. -- Apply micropatch. There are several micropatches available. They are not a part of the official update but may limit agency risk. +- Disable Log4j library. Disabling software using the Log4j library is an effective measure, +favoring controlled downtime over adversary-caused issues. This option could cause operational +impacts and limit visibility into other issues. +- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve +developer work and could impact functionality. +- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically +lower risk from attack. Consider temporarily disconnecting the stack from agency networks. +- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the +rest of the enterprise network. +- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. +Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to +bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller +set of alerts. +- Apply micropatch. There are several micropatches available. They are not a part of the official +- update but may limit agency risk. -For more information regarding CISA recommended mitigation measures please visit [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures). +For more information regarding CISA recommended mitigation measures please visit +[here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures). ## Software List ## From ec099a7ddc77dd8288569927ced955b2726e5d0f Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:20:28 -0500 Subject: [PATCH 08/47] Add CISA rec mitigations --- README.md | 46 ++++++++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index c9ea2ef..0c6f28d 100644 --- a/README.md +++ b/README.md @@ -36,26 +36,40 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd. ## Mitigation Guidance ## -When updates are available, agencies must update software using Log4j to the newest version, -which is the most effective and manageable long-term option. Where updating is not possible, -the following mitigating measures can be considered as a temporary solution and apply to the -entire solution stack. +When updates are available, agencies must update software +using Log4j to the newest version, which is the most +effective and manageable long-term option. Where +updating is not possible, the following mitigating +measures can be considered as a temporary solution +and apply to the entire solution stack. -- Disable Log4j library. Disabling software using the Log4j library is an effective measure, -favoring controlled downtime over adversary-caused issues. This option could cause operational -impacts and limit visibility into other issues. -- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve +- **Disable Log4j library.** Disabling software using the +Log4j library is an effective measure, favoring +controlled downtime over adversary-caused issues. +This option could cause operational impacts and limit +visibility into other issues. +- **Disable JNDI lookups or disable remote codebases.** +This option, while effective, may involve developer work and could impact functionality. -- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically -lower risk from attack. Consider temporarily disconnecting the stack from agency networks. -- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the +- **Disconnect affected stacks.** Solution stacks not +connected to agency networks pose a dramatically +lower risk from attack. Consider temporarily +disconnecting the stack from agency networks. +- **Isolate the system.** Create a “vulnerable network” +VLAN and segment the solution stack from the rest of the enterprise network. -- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. -Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to -bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller +- **Deploy a properly configured Web Application +Firewall (WAF) in front of the solution stack.** +Deploying a WAF is an important, but incomplete, +solution. While threat actors will be able to +bypass this mitigation, the reduction in alerting +will allow an agency SOC to focus on a smaller set of alerts. -- Apply micropatch. There are several micropatches available. They are not a part of the official -- update but may limit agency risk. +- **Apply micropatch.** There are several micropatches +available. They are not a part of the official +update but may limit agency risk. +- Report incidents promptly to CISA and/or the FBI +[here](https://www.cisa.gov/uscert/report). For more information regarding CISA recommended mitigation measures please visit [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures). From d77bd5e7027c11dfd83427b5edffd8156105bb2d Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:22:22 -0500 Subject: [PATCH 09/47] Add CISA rec mitigation guidance --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0c6f28d..24052a0 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ update but may limit agency risk. - Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report). -For more information regarding CISA recommended mitigation measures please visit +For more information regarding CISA recommended mitigation measures please visit [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures). ## Software List ## From 75bda6ae8075085bb484b9c600ce4e046129e49f Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:24:27 -0500 Subject: [PATCH 10/47] Add CISA rec mitigation guidance --- README.md | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 24052a0..7e1dbfc 100644 --- a/README.md +++ b/README.md @@ -36,39 +36,39 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd. ## Mitigation Guidance ## -When updates are available, agencies must update software -using Log4j to the newest version, which is the most -effective and manageable long-term option. Where -updating is not possible, the following mitigating -measures can be considered as a temporary solution +When updates are available, agencies must update software +using Log4j to the newest version, which is the most +effective and manageable long-term option. Where +updating is not possible, the following mitigating +measures can be considered as a temporary solution and apply to the entire solution stack. -- **Disable Log4j library.** Disabling software using the -Log4j library is an effective measure, favoring -controlled downtime over adversary-caused issues. -This option could cause operational impacts and limit +- **Disable Log4j library.** Disabling software using the +Log4j library is an effective measure, favoring +controlled downtime over adversary-caused issues. +This option could cause operational impacts and limit visibility into other issues. -- **Disable JNDI lookups or disable remote codebases.** -This option, while effective, may involve +- **Disable JNDI lookups or disable remote codebases.** +This option, while effective, may involve developer work and could impact functionality. -- **Disconnect affected stacks.** Solution stacks not -connected to agency networks pose a dramatically -lower risk from attack. Consider temporarily +- **Disconnect affected stacks.** Solution stacks not +connected to agency networks pose a dramatically +lower risk from attack. Consider temporarily disconnecting the stack from agency networks. -- **Isolate the system.** Create a “vulnerable network” -VLAN and segment the solution stack from the +- **Isolate the system.** Create a “vulnerable network” +VLAN and segment the solution stack from the rest of the enterprise network. -- **Deploy a properly configured Web Application -Firewall (WAF) in front of the solution stack.** -Deploying a WAF is an important, but incomplete, -solution. While threat actors will be able to -bypass this mitigation, the reduction in alerting -will allow an agency SOC to focus on a smaller +- **Deploy a properly configured Web Application +Firewall (WAF) in front of the solution stack.** +Deploying a WAF is an important, but incomplete, +solution. While threat actors will be able to +bypass this mitigation, the reduction in alerting +will allow an agency SOC to focus on a smaller set of alerts. -- **Apply micropatch.** There are several micropatches -available. They are not a part of the official +- **Apply micropatch.** There are several micropatches +available. They are not a part of the official update but may limit agency risk. -- Report incidents promptly to CISA and/or the FBI +- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report). For more information regarding CISA recommended mitigation measures please visit From 5d2ca675c8e09a76182df1167ed232aed4d35265 Mon Sep 17 00:00:00 2001 From: TVA Cyber Risk Date: Thu, 23 Dec 2021 19:27:52 -0500 Subject: [PATCH 11/47] Add OpenText --- SOFTWARE-LIST.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 63bd4ea..9256c8e 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2053,6 +2053,7 @@ download | | 12/20/2021 | | OpenMRS TALK | | | | | [OpenMRS TALK Link](https://talk.openmrs.org/t/urgent-security-advisory-2021-12-11-re-apache-log4j-2/35341) | | | | | OpenNMS | | | | | [OpenNMS Link](https://www.opennms.com/en/blog/2021-12-10-opennms-products-affected-by-apache-log4j-vulnerability-cve-2021-44228/) | | | | | OpenSearch | | | | | [OpenSearch Discussion Link](https://discuss.opendistrocommunity.dev/t/log4j-patch-for-cve-2021-44228/7950) | | | | +| OpenText | | | | | [OpenText Log4J Remote Code Execution](https://www.opentext.com/support/log4j-remote-code-execution-advisory) | | | 12/23/2021 | | Oracle | | | Affected | | [Oracle Security Alert](https://www.oracle.com/security-alerts/alert-cve-2021-44228.html) [My Oracle Support Document](https://support.oracle.com/rs?type=doc&id=2827611.1) | The support document is available to customers only and has not been reviewed by CISA | | 12/17/2021 | | Orgavision | | | | | [Orgavision Link](https://www.orgavision.com/neuigkeiten/sicherheitsluecke-java-library-log4j) | | | | | Osirium | PAM | | Not Affected | | [Osirium statement](https://www.osirium.com/blog/apache-log4j-vulnerability) | | | | From c199bad76848bcfba52acf21bfe39c007d257b1e Mon Sep 17 00:00:00 2001 From: TVA Cyber Risk Date: Thu, 23 Dec 2021 19:57:03 -0500 Subject: [PATCH 12/47] Adding Campbell Scientific --- SOFTWARE-LIST.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 9256c8e..6a36927 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -326,6 +326,7 @@ This list was initially populated using information from the following sources: | Broadcom | Web Security Service (WSS) | | Under Investigation | | [Broadcom Support Portal](https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793) | | | | | Broadcom | WebPulse | | Under Investigation | | [Broadcom Support Portal](https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793) | | | | | C4b XPHONE | | | | | [C4b XPHONE Link](https://www.c4b.com/de/news/log4j.php) | | | | +| Campbell Scientific | All | | Not Affected | | [Campbell Scientific Statement](https://s.campbellsci.com/documents/us/miscellaneous/log4j2-vulnerability.pdf) | | | 12/23/2021 | | Camunda | | | | | [Camunda Forum Link](https://forum.camunda.org/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228/31910) | | | | | Canary Labs | All | | Not Affected | | [Canary Labs Advisory Link](https://helpcenter.canarylabs.com/t/83hjjk0/log4j-vulnerability) | | | 12/22/2021 | | Canon | CT Medical Imaging Products | | Not Affected | | [Canon Advisory Link](https://global.medical.canon/service-support/securityinformation/apache_log4j_vulnerability) | | | 12/22/2021 | From 133f007d1c3833a33498d0ceb0a66aea52d02650 Mon Sep 17 00:00:00 2001 From: AlastairPooley <60789166+AlastairPooley@users.noreply.github.com> Date: Sun, 26 Dec 2021 20:04:17 +0000 Subject: [PATCH 13/47] Update SOFTWARE-LIST.md Snow Software added --- SOFTWARE-LIST.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 63bd4ea..8dd5b3b 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2401,6 +2401,8 @@ download | | 12/20/2021 | | SmileCDR | | | | | [SmileCDR Blog Post](https://www.smilecdr.com/our-blog/a-statement-on-log4shell-cve-2021-44228) | | | | | Snakemake | Snakemake | 6.12.1 | Not Affected | | [https://snakemake.readthedocs.io/en/stable/](https://snakemake.readthedocs.io/en/stable/) | | | 12/21/2021 | | Sn0m | | | | | [Sn0m Link](https://www.snom.com/en/press/log4j-poses-no-threat-snom-phones/) | | | | +| Snow Software | Snow Commander | 8.1 to 8.10.2 | Fixed | Yes |[Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | +| Snow Software | VM Access Proxy | v3.1 to v3.6 " Fixed | Yes | [Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | | Snowflake | | | Not Affected | | [Snowflake Community Link](https://community.snowflake.com/s/article/No-Snowflake-exposure-to-Apache-Log4j-vulnerability-CVE-2021-44228) | | | | | Snyk | Cloud Platform | |Not Affected | | [Snyk Updates](https://updates.snyk.io/snyk%27s-cloud-platform-all-clear-from-log4j-exploits-216499) | | | | | Software AG | | | | | [Software AG](https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849) | | | | From 6a09fd70f7b29288e0b7c29bc99b7c620a08c48a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 26 Dec 2021 20:18:23 -0500 Subject: [PATCH 14/47] Use an issue form for product submissions Switch to using a GitHub Issues form for product submission issues. This will provide a smoother interface for users to submit products to the database and ensure that certain values are included with a submission. --- .../product-submission-template.md | 27 ------- .../product-submission-template.yml | 73 +++++++++++++++++++ 2 files changed, 73 insertions(+), 27 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/product-submission-template.md create mode 100644 .github/ISSUE_TEMPLATE/product-submission-template.yml diff --git a/.github/ISSUE_TEMPLATE/product-submission-template.md b/.github/ISSUE_TEMPLATE/product-submission-template.md deleted file mode 100644 index a92609b..0000000 --- a/.github/ISSUE_TEMPLATE/product-submission-template.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -name: Product Submission Template -about: Template for product submissions of all publicly available information - and vendor-supplied advisories regarding the log4j vulnerability. ---- -# Submission Template # - -Please provide the following information. - -- Vendor Name -- Product Name -- Version(s) affected -- Status: Please choose from one of the following - Unknown, Affected, - Not Affected, Fixed, and Under Investigation. -- Update Available: Yes or No (If Yes, please provide link to information) -- Notes -- References -- Last Updated: Date of last update - -For questions about choice for status, please see the information below. - -- Unknown - Status unknown. Default choice. -- Affected - Reported to be affected by CVE-2021-44228. -- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further - action necessary. -- Fixed - Patch and/or mitigations available (see provided links). -- Under Investigation - Vendor investigating status. diff --git a/.github/ISSUE_TEMPLATE/product-submission-template.yml b/.github/ISSUE_TEMPLATE/product-submission-template.yml new file mode 100644 index 0000000..c5a66b1 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/product-submission-template.yml @@ -0,0 +1,73 @@ +--- +name: Submit a Product +description: Submit a product to the database +title: "[Product Submission]: - " +body: + - type: markdown + attributes: + value: | + For questions about choice for status, please see the information below. + + - Unknown - Status unknown. Default choice. + - Affected - Reported to be affected by CVE-2021-44228. + - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no + further action necessary. + - Fixed - Patch and/or mitigations available (see provided links). + - Under Investigation - Vendor investigating status. + - type: input + id: product-vendor + attributes: + label: Product vendor + description: Who is the vendor for the product? + validations: + required: true + - type: input + id: product-name + attributes: + label: Product name + description: What is the product? + validations: + required: true + - type: input + id: product-versions + attributes: + label: Product version(s) + description: What version(s) of the product are affected? + validations: + required: true + - type: dropdown + id: product-status + attributes: + label: Product status + description: What is the current status of the affected product? + options: + - Unknown + - Affected + - Not Affected + - Fixed + - Under Investigation + validations: + required: true + - type: dropdown + id: product-updated + attributes: + label: Product update available + description: Is there an update available for the product? + options: + - "Yes" + - "No" + validations: + required: true + - type: input + id: product-update-link + attributes: + label: Product update link + description: If an update is available where can it be found? + - type: textarea + id: product-notes + attributes: + label: Notes + - type: textarea + id: product-references + attributes: + label: References From 847a4f248eb017acc4c7a826153ce1e5830a32d0 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 26 Dec 2021 20:23:20 -0500 Subject: [PATCH 15/47] Add an issue form for product updates Provide an issue form for product updates to complement the one for product submissions. This will encourage people to follow the specific workflows for submissions and updates. --- .../product-update-template.yml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/product-update-template.yml diff --git a/.github/ISSUE_TEMPLATE/product-update-template.yml b/.github/ISSUE_TEMPLATE/product-update-template.yml new file mode 100644 index 0000000..109c12c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/product-update-template.yml @@ -0,0 +1,58 @@ +--- +name: Update a Product +description: Update information about a product in the database +title: "[Product Update]: - " +body: + - type: markdown + attributes: + value: | + For questions about choice for status, please see the information below. + + - Unknown - Status unknown. Default choice. + - Affected - Reported to be affected by CVE-2021-44228. + - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no + further action necessary. + - Fixed - Patch and/or mitigations available (see provided links). + - Under Investigation - Vendor investigating status. + - type: textarea + id: update-context + attributes: + label: Context + description: Please provide context around the update + - type: input + id: product-versions + attributes: + label: Product version(s) + description: What version(s) of the product are affected? + - type: dropdown + id: product-status + attributes: + label: Product status + description: What is the current status of the affected product? + options: + - Unknown + - Affected + - Not Affected + - Fixed + - Under Investigation + - type: dropdown + id: product-updated + attributes: + label: Product update available + description: Is there an update available for the product? + options: + - "Yes" + - "No" + - type: input + id: product-update-link + attributes: + label: Product update link + description: If an update is available where can it be found? + - type: textarea + id: product-notes + attributes: + label: Notes + - type: textarea + id: product-references + attributes: + label: References From 20f82c96c0b77a7cc9357ed856c1b2e447a93a0c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 26 Dec 2021 20:27:25 -0500 Subject: [PATCH 16/47] Rename template files to reflect that they are now forms --- ...roduct-submission-template.yml => product-submission-form.yml} | 0 .../{product-update-template.yml => product-update-form.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename .github/ISSUE_TEMPLATE/{product-submission-template.yml => product-submission-form.yml} (100%) rename .github/ISSUE_TEMPLATE/{product-update-template.yml => product-update-form.yml} (100%) diff --git a/.github/ISSUE_TEMPLATE/product-submission-template.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml similarity index 100% rename from .github/ISSUE_TEMPLATE/product-submission-template.yml rename to .github/ISSUE_TEMPLATE/product-submission-form.yml diff --git a/.github/ISSUE_TEMPLATE/product-update-template.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml similarity index 100% rename from .github/ISSUE_TEMPLATE/product-update-template.yml rename to .github/ISSUE_TEMPLATE/product-update-form.yml From aa710d2818599379bc9db6e95d7e74ab6e2e8736 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 26 Dec 2021 20:32:00 -0500 Subject: [PATCH 17/47] Add missing input to issue forms Added an input to provide information about the date of a product's last update. --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 5 +++++ .github/ISSUE_TEMPLATE/product-update-form.yml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index c5a66b1..6e71253 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -63,6 +63,11 @@ body: attributes: label: Product update link description: If an update is available where can it be found? + - type: input + id: product-last-updated + attributes: + label: Last updated + description: When was the product last updated? - type: textarea id: product-notes attributes: diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 109c12c..2789269 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -48,6 +48,11 @@ body: attributes: label: Product update link description: If an update is available where can it be found? + - type: input + id: product-last-updated + attributes: + label: Last updated + description: When was the product last updated? - type: textarea id: product-notes attributes: From 7c76caa965b4c9500974e950d253344198eb90ca Mon Sep 17 00:00:00 2001 From: cmscherbert <96602105+cmscherbert@users.noreply.github.com> Date: Mon, 27 Dec 2021 14:58:43 -0800 Subject: [PATCH 18/47] adding BMC ManageEngine ADSelfService Plus adding a self service password reset tool provided by BMC (formerly ManageEngine) --- SOFTWARE-LIST.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 6a36927..dbcc6f9 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -1885,6 +1885,7 @@ This list was initially populated using information from the following sources: | MailStore | | | | | [MailStore Statement](https://www.mailstore.com/en/blog/mailstore-affected-by-log4shell/) | | | | | Maltego | | | | | [Maltego Response to Logj4](https://www.maltego.com/blog/our-response-to-log4j-cve-2021-44228/) | | | | | ManageEngine | Servicedesk Plus | 11305 and below | Affected | | [Manage Engine Advisory](https://www.manageengine.com/products/service-desk/security-response-plan.html) | | | 12/15/2021 | +| ManageEngine | AD SelfService Plus | Build 6.1 build 6114 | Not Affected | | | | 12/27/21 | | ManageEngine Zoho | | | | | [Manage Engine Link](https://pitstop.manageengine.com/portal/en/community/topic/log4j-ad-manager-plus) | | | | | ManageEngine Zoho | ADManager Plus | On-Prem | | | [ManageEngine Vulnerability Impact](https://pitstop.manageengine.com/portal/en/community/topic/update-on-the-recent-apache-log4j2-vulnerability-impact-on-manageengine-on-premises-products-1) | | |12/16/2021| | ManageEngine Zoho | ADAudit Plus | On-Prem | | | [ManageEngine Vulnerability Impact](https://pitstop.manageengine.com/portal/en/community/topic/update-on-the-recent-apache-log4j2-vulnerability-impact-on-manageengine-on-premises-products-1) | | |12/16/2021| From 1970bf28e900ff3502fb8c83c4be21e59140764e Mon Sep 17 00:00:00 2001 From: stevea1 <26827894+stevea1@users.noreply.github.com> Date: Mon, 27 Dec 2021 19:41:16 -0500 Subject: [PATCH 19/47] Update SOFTWARE-LIST.md Add Zix --- SOFTWARE-LIST.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 6a36927..1932f9d 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2789,6 +2789,7 @@ download | | 12/20/2021 | | Zerto | | | | | [Zerto KB](https://help.zerto.com/kb/000004822) | | | | | Zesty | | | | | [Zesty Log4j Exploit](https://www.zesty.io/mindshare/company-announcements/log4j-exploit/) | | | | | Zimbra | | | | | [BugZilla Zimbra](https://bugzilla.zimbra.com/show_bug.cgi?id=109428) | | | | +! Zix | | | | | [Zix|Appriver Statement](https://status.appriver.com/) | | | 12/16/2021 | | Zoom | | | | | [Zoom Security Exposure](https://explore.zoom.us/en/trust/security/security-bulletin/security-bulletin-log4j/?=nocache) | | | | | ZPE systems Inc | | | | | [ZpeSystems CVE-2021-44228](https://support.zpesystems.com/portal/en/kb/articles/is-nodegrid-os-and-zpe-cloud-affected-by-cve-2021-44228-apache-log4j) | | | | | Zscaler | See Link (Multiple Products) | | Not Affected | No | [CVE-2021-44228 log4j Vulnerability](https://trust.zscaler.com/posts/9581) | | | 12/15/2021 | From 1186b9c8a6879c95189bac0a8e602e24b134075c Mon Sep 17 00:00:00 2001 From: stevea1 <26827894+stevea1@users.noreply.github.com> Date: Mon, 27 Dec 2021 19:45:01 -0500 Subject: [PATCH 20/47] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 1932f9d..cc5a94d 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2789,7 +2789,7 @@ download | | 12/20/2021 | | Zerto | | | | | [Zerto KB](https://help.zerto.com/kb/000004822) | | | | | Zesty | | | | | [Zesty Log4j Exploit](https://www.zesty.io/mindshare/company-announcements/log4j-exploit/) | | | | | Zimbra | | | | | [BugZilla Zimbra](https://bugzilla.zimbra.com/show_bug.cgi?id=109428) | | | | -! Zix | | | | | [Zix|Appriver Statement](https://status.appriver.com/) | | | 12/16/2021 | +! Zix | | | | | [Zix Appriver Statement](https://status.appriver.com/) | | | 12/16/2021 | | Zoom | | | | | [Zoom Security Exposure](https://explore.zoom.us/en/trust/security/security-bulletin/security-bulletin-log4j/?=nocache) | | | | | ZPE systems Inc | | | | | [ZpeSystems CVE-2021-44228](https://support.zpesystems.com/portal/en/kb/articles/is-nodegrid-os-and-zpe-cloud-affected-by-cve-2021-44228-apache-log4j) | | | | | Zscaler | See Link (Multiple Products) | | Not Affected | No | [CVE-2021-44228 log4j Vulnerability](https://trust.zscaler.com/posts/9581) | | | 12/15/2021 | From ebab18ea597b62bec32c6addc431a58fa1611db1 Mon Sep 17 00:00:00 2001 From: stevea1 <26827894+stevea1@users.noreply.github.com> Date: Mon, 27 Dec 2021 19:48:20 -0500 Subject: [PATCH 21/47] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index cc5a94d..fbbfa7d 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2789,7 +2789,7 @@ download | | 12/20/2021 | | Zerto | | | | | [Zerto KB](https://help.zerto.com/kb/000004822) | | | | | Zesty | | | | | [Zesty Log4j Exploit](https://www.zesty.io/mindshare/company-announcements/log4j-exploit/) | | | | | Zimbra | | | | | [BugZilla Zimbra](https://bugzilla.zimbra.com/show_bug.cgi?id=109428) | | | | -! Zix | | | | | [Zix Appriver Statement](https://status.appriver.com/) | | | 12/16/2021 | +| Zix | | | | | [Zix Appriver Statement](https://status.appriver.com/) | | | 12/16/2021 | | Zoom | | | | | [Zoom Security Exposure](https://explore.zoom.us/en/trust/security/security-bulletin/security-bulletin-log4j/?=nocache) | | | | | ZPE systems Inc | | | | | [ZpeSystems CVE-2021-44228](https://support.zpesystems.com/portal/en/kb/articles/is-nodegrid-os-and-zpe-cloud-affected-by-cve-2021-44228-apache-log4j) | | | | | Zscaler | See Link (Multiple Products) | | Not Affected | No | [CVE-2021-44228 log4j Vulnerability](https://trust.zscaler.com/posts/9581) | | | 12/15/2021 | From 41e536e228aeb482bccab31f5bc6e448c6b6264b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 10:08:20 -0500 Subject: [PATCH 22/47] Adjust markdown element in product submission form Move the markdown element that explains available statuses down so it appears close to where a user is selecting the status. Given how form elements are rendered it has been adjusted to appear after the dropdown itself. Co-authored-by: dav3r --- .../product-submission-form.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index 6e71253..aa83f80 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -3,17 +3,6 @@ name: Submit a Product description: Submit a product to the database title: "[Product Submission]: - " body: - - type: markdown - attributes: - value: | - For questions about choice for status, please see the information below. - - - Unknown - Status unknown. Default choice. - - Affected - Reported to be affected by CVE-2021-44228. - - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no - further action necessary. - - Fixed - Patch and/or mitigations available (see provided links). - - Under Investigation - Vendor investigating status. - type: input id: product-vendor attributes: @@ -48,6 +37,17 @@ body: - Under Investigation validations: required: true + - type: markdown + attributes: + value: | + Please use the information below when selecting a status. + + - Unknown - Status unknown. Default choice. + - Affected - Reported to be affected by CVE-2021-44228. + - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no + further action necessary. + - Fixed - Patch and/or mitigations available (see provided links). + - Under Investigation - Vendor investigating status. - type: dropdown id: product-updated attributes: From b5ab6c3fb9f0ae8abc17048433deee67ac035c3f Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 10:18:59 -0500 Subject: [PATCH 23/47] Adjust a description in the product submission form Adjust the product name description to be more similar to other descriptions. --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index aa83f80..af54400 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -14,7 +14,7 @@ body: id: product-name attributes: label: Product name - description: What is the product? + description: What is the name of the product? validations: required: true - type: input From 0804f1e8e92af46a11ad97e81daa1cb7f78f729d Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 10:20:14 -0500 Subject: [PATCH 24/47] Update dropdown in the product submission form Update the product update dropdown's label and options. Mainly focused on removing usage of Yes/No because these are boolean values in YAML and thus needed special handling compared to other strings. Co-authored-by: dav3r Co-authored-by: Shane Frasier --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index af54400..0504f98 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -51,11 +51,11 @@ body: - type: dropdown id: product-updated attributes: - label: Product update available + label: Product update description: Is there an update available for the product? options: - - "Yes" - - "No" + - Available + - Not Available validations: required: true - type: input From 230b4c999e47f0967ab130bdbf6a8a6eb3fdec1b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 10:27:14 -0500 Subject: [PATCH 25/47] Add placeholders in the product submission form Add placeholders for some of the required inputs in the form. This will be most helpful for the product version, but for completeness they have also been added for the product vendor and name. Co-authored-by: dav3r --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index 0504f98..345c5d7 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -8,6 +8,7 @@ body: attributes: label: Product vendor description: Who is the vendor for the product? + placeholder: Cisco, Dell, IBM, etc. validations: required: true - type: input @@ -15,6 +16,7 @@ body: attributes: label: Product name description: What is the name of the product? + placeholder: AppDynamics, BigFix Inventory, Centera, etc. validations: required: true - type: input @@ -22,6 +24,7 @@ body: attributes: label: Product version(s) description: What version(s) of the product are affected? + placeholder: v2; 1.5; >3; >=4; >5, <6; etc. validations: required: true - type: dropdown From abc70b1787fa5e26e26f2c907c6d6db900e5caf0 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 10:54:24 -0500 Subject: [PATCH 26/47] Adjust markdown element in product update form Move the markdown element that explains available statuses down so it appears close to where a user is selecting the status. Given how form elements are rendered it has been adjusted to appear after the dropdown itself. This mirrors changes made in the product submission form. --- .../ISSUE_TEMPLATE/product-update-form.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 2789269..3ce52de 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -3,17 +3,6 @@ name: Update a Product description: Update information about a product in the database title: "[Product Update]: - " body: - - type: markdown - attributes: - value: | - For questions about choice for status, please see the information below. - - - Unknown - Status unknown. Default choice. - - Affected - Reported to be affected by CVE-2021-44228. - - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no - further action necessary. - - Fixed - Patch and/or mitigations available (see provided links). - - Under Investigation - Vendor investigating status. - type: textarea id: update-context attributes: @@ -35,6 +24,17 @@ body: - Not Affected - Fixed - Under Investigation + - type: markdown + attributes: + value: | + Please use the information below when selecting a status. + + - Unknown - Status unknown. Default choice. + - Affected - Reported to be affected by CVE-2021-44228. + - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no + further action necessary. + - Fixed - Patch and/or mitigations available (see provided links). + - Under Investigation - Vendor investigating status. - type: dropdown id: product-updated attributes: From df6ac390835efadda738624f4eb133f44b7fda74 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 12:21:46 -0500 Subject: [PATCH 27/47] Add inputs to product update form Add product vendor and product name inputs to the update form. This will ensure that even if a submitter does not update the title we capture this information. --- .github/ISSUE_TEMPLATE/product-update-form.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 3ce52de..2167d7e 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -3,6 +3,22 @@ name: Update a Product description: Update information about a product in the database title: "[Product Update]: - " body: + - type: input + id: product-vendor + attributes: + label: Product vendor + description: Who is the vendor for the product? + placeholder: Cisco, Dell, IBM, etc. + validations: + required: true + - type: input + id: product-name + attributes: + label: Product name + description: What is the name of the product? + placeholder: AppDynamics, BigFix Inventory, Centera, etc. + validations: + required: true - type: textarea id: update-context attributes: From a91ebf78a6ef8e7d564c4d54d99a930977e0d841 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 12:39:38 -0500 Subject: [PATCH 28/47] Add missing punctuation in description in product update form --- .github/ISSUE_TEMPLATE/product-update-form.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 2167d7e..58f6ec9 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -23,7 +23,7 @@ body: id: update-context attributes: label: Context - description: Please provide context around the update + description: Please provide context around the update. - type: input id: product-versions attributes: From 90a215e6188daba6c5893f2dd17ba7bafd2fa21b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 12:45:46 -0500 Subject: [PATCH 29/47] Add a placeholder to the product issue forms Add a placeholder value for the last updated input in both the product submission and product update issue forms. This will encourage the appropriate timestamp format. --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 1 + .github/ISSUE_TEMPLATE/product-update-form.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index 345c5d7..9353ce6 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -71,6 +71,7 @@ body: attributes: label: Last updated description: When was the product last updated? + placeholder: "2021-12-06" - type: textarea id: product-notes attributes: diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 58f6ec9..0f66eb8 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -69,6 +69,7 @@ body: attributes: label: Last updated description: When was the product last updated? + placeholder: "2021-12-06" - type: textarea id: product-notes attributes: From 01a719c4c61f46292b818c06307c2d0c32f7bd20 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 13:59:16 -0500 Subject: [PATCH 30/47] Update dropdown in the product update form Update the product update dropdown's label and options. Mainly focused on removing usage of Yes/No because these are boolean values in YAML and thus needed special handling compared to other strings. This mirrors changes done to the product submission form. --- .github/ISSUE_TEMPLATE/product-update-form.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 0f66eb8..4e914e1 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -54,11 +54,11 @@ body: - type: dropdown id: product-updated attributes: - label: Product update available + label: Product update description: Is there an update available for the product? options: - - "Yes" - - "No" + - Available + - Not Available - type: input id: product-update-link attributes: From c5c6c68dc8f757999a7944492d3118474076d69d Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 14:25:47 -0500 Subject: [PATCH 31/47] Update description for product update link in forms Update the description for the product update link input in both the product submission and product update forms. Co-authored-by: dav3r Co-authored-by: Shane Frasier --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 2 +- .github/ISSUE_TEMPLATE/product-update-form.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index 9353ce6..37258d7 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -65,7 +65,7 @@ body: id: product-update-link attributes: label: Product update link - description: If an update is available where can it be found? + description: Where can the update be found, if one is available? - type: input id: product-last-updated attributes: diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 4e914e1..d32f6fb 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -63,7 +63,7 @@ body: id: product-update-link attributes: label: Product update link - description: If an update is available where can it be found? + description: Where can the update be found, if one is available? - type: input id: product-last-updated attributes: From a00d3da334ac5ef25676399846010ad77cc747cf Mon Sep 17 00:00:00 2001 From: iainDe <96153057+iainDe@users.noreply.github.com> Date: Tue, 28 Dec 2021 14:40:54 -0500 Subject: [PATCH 32/47] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index fbbfa7d..63654c0 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2406,8 +2406,9 @@ download | | 12/20/2021 | | Snowflake | | | Not Affected | | [Snowflake Community Link](https://community.snowflake.com/s/article/No-Snowflake-exposure-to-Apache-Log4j-vulnerability-CVE-2021-44228) | | | | | Snyk | Cloud Platform | |Not Affected | | [Snyk Updates](https://updates.snyk.io/snyk%27s-cloud-platform-all-clear-from-log4j-exploits-216499) | | | | | Software AG | | | | | [Software AG](https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849) | | | | -| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | No | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) | Workarounds available, hotfix under development | | 12/14/2021 | -| SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | No | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | Workarounds available, hotfix under development | | 12/14/2021 | +| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) |https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | For more information, please see the following KB article: [link](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | +| SolarWinds | Orion Platform | Not Affected | | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | | | 12/23/2021 | +| SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | For more information, please see the following KB article for the latest details specific to the SAM hotfix: [link](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | | SonarSource | | | | | [SonarSource](https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721) | | | | | Sonatype | | | | | [Sonatype Vulnerability Statement](https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild) | | | | | SonicWall | Capture Client & Capture Client Portal | | Not Affected | | [Sonic Wall Security Advisory](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Log4j2 not used in the Capture Client. | | 12/12/2021 | From 55fb6ebffdc41de834adbba2fff79c5575f86956 Mon Sep 17 00:00:00 2001 From: iainDe <96153057+iainDe@users.noreply.github.com> Date: Tue, 28 Dec 2021 14:47:12 -0500 Subject: [PATCH 33/47] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 63654c0..cfc0a7f 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2406,7 +2406,7 @@ download | | 12/20/2021 | | Snowflake | | | Not Affected | | [Snowflake Community Link](https://community.snowflake.com/s/article/No-Snowflake-exposure-to-Apache-Log4j-vulnerability-CVE-2021-44228) | | | | | Snyk | Cloud Platform | |Not Affected | | [Snyk Updates](https://updates.snyk.io/snyk%27s-cloud-platform-all-clear-from-log4j-exploits-216499) | | | | | Software AG | | | | | [Software AG](https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849) | | | | -| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) |https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | For more information, please see the following KB article: [link](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | +| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) | | For more information, please see the following KB article: [link](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | | SolarWinds | Orion Platform | Not Affected | | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | | | 12/23/2021 | | SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | For more information, please see the following KB article for the latest details specific to the SAM hotfix: [link](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | | SonarSource | | | | | [SonarSource](https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721) | | | | From 07c0b19b98eddcf737852a0a4a76674f119bffd8 Mon Sep 17 00:00:00 2001 From: Rodrigo Freire Date: Tue, 28 Dec 2021 16:50:14 -0300 Subject: [PATCH 34/47] Updated the latest Log4J version Bumped log4j latest version thanks to CVE-2021-44832 Reference: https://www.openwall.com/lists/oss-security/2021/12/28/1 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7e1dbfc..705f464 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ This repository provides and an overview of related software regarding the Log4j vulnerability (CVE-2021-44228). CISA encourages users and administrators to review the [official Apache release](https://logging.apache.org/log4j/2.x/security.html) -and upgrade to Log4j 2.17.0 or apply the recommended mitigations immediately. +and upgrade to Log4j 2.17.1 or apply the recommended mitigations immediately. The information in this repository is provided "as is" for informational purposes only and is being assembled and updated by CISA through From 1aa47560600e37fb35f288c7079d565a30c0e02c Mon Sep 17 00:00:00 2001 From: iainDe <96153057+iainDe@users.noreply.github.com> Date: Tue, 28 Dec 2021 14:52:32 -0500 Subject: [PATCH 35/47] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index cce4795..70be89f 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -1885,7 +1885,7 @@ This list was initially populated using information from the following sources: | MailStore | | | | | [MailStore Statement](https://www.mailstore.com/en/blog/mailstore-affected-by-log4shell/) | | | | | Maltego | | | | | [Maltego Response to Logj4](https://www.maltego.com/blog/our-response-to-log4j-cve-2021-44228/) | | | | | ManageEngine | Servicedesk Plus | 11305 and below | Affected | | [Manage Engine Advisory](https://www.manageengine.com/products/service-desk/security-response-plan.html) | | | 12/15/2021 | -| ManageEngine | AD SelfService Plus | Build 6.1 build 6114 | Not Affected | | | | 12/27/21 | +| ManageEngine | AD SelfService Plus | Build 6.1 build 6114 | Not Affected | | | | 12/27/21 | | ManageEngine Zoho | | | | | [Manage Engine Link](https://pitstop.manageengine.com/portal/en/community/topic/log4j-ad-manager-plus) | | | | | ManageEngine Zoho | ADManager Plus | On-Prem | | | [ManageEngine Vulnerability Impact](https://pitstop.manageengine.com/portal/en/community/topic/update-on-the-recent-apache-log4j2-vulnerability-impact-on-manageengine-on-premises-products-1) | | |12/16/2021| | ManageEngine Zoho | ADAudit Plus | On-Prem | | | [ManageEngine Vulnerability Impact](https://pitstop.manageengine.com/portal/en/community/topic/update-on-the-recent-apache-log4j2-vulnerability-impact-on-manageengine-on-premises-products-1) | | |12/16/2021| From 017d143aa56006c027ca3b88c09c03af55293868 Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 08:28:46 -0500 Subject: [PATCH 36/47] Add space & fix pipe --- SOFTWARE-LIST.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 2390e11..2261fc3 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2403,8 +2403,8 @@ download | | 12/20/2021 | | SmileCDR | | | | | [SmileCDR Blog Post](https://www.smilecdr.com/our-blog/a-statement-on-log4shell-cve-2021-44228) | | | | | Snakemake | Snakemake | 6.12.1 | Not Affected | | [https://snakemake.readthedocs.io/en/stable/](https://snakemake.readthedocs.io/en/stable/) | | | 12/21/2021 | | Sn0m | | | | | [Sn0m Link](https://www.snom.com/en/press/log4j-poses-no-threat-snom-phones/) | | | | -| Snow Software | Snow Commander | 8.1 to 8.10.2 | Fixed | Yes |[Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | -| Snow Software | VM Access Proxy | v3.1 to v3.6 " Fixed | Yes | [Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | +| Snow Software | Snow Commander | 8.1 to 8.10.2 | Fixed | Yes | [Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | +| Snow Software | VM Access Proxy | v3.1 to v3.6 | Fixed | Yes | [Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | | Snowflake | | | Not Affected | | [Snowflake Community Link](https://community.snowflake.com/s/article/No-Snowflake-exposure-to-Apache-Log4j-vulnerability-CVE-2021-44228) | | | | | Snyk | Cloud Platform | |Not Affected | | [Snyk Updates](https://updates.snyk.io/snyk%27s-cloud-platform-all-clear-from-log4j-exploits-216499) | | | | | Software AG | | | | | [Software AG](https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849) | | | | From e8a9752e44086299e8dd91bf9db36bf15ca1a748 Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 08:47:33 -0500 Subject: [PATCH 37/47] Remove resque --- SOFTWARE-LIST.md | 1 - 1 file changed, 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 77f61cf..df3512e 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2263,7 +2263,6 @@ download | | 12/20/2021 | | Reiner SCT | | | | | [Reiner SCT Forum](https://forum.reiner-sct.com/index.php?/topic/5973-timecard-und-log4j-schwachstelle/&do=findComment&comment=14933) | | | | | ReportURI | | | | | [ReportURI Link](https://scotthelme.co.uk/responding-to-the-log4j-2-vulnerability/) | | | | | Respondus | | | | | [Respondus Support Link](https://support.respondus.com/support/index.php?/News/NewsItem/View/339) |This advisory is available to customers only and has not been reviewed by CISA | | | -| Resque | Resque | | | | | | | | | Revenera / Flexera | | | | | [Revenera / Flexera Community Link](https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Log4j-Java-Vulnerability-CVE-2021-44228/ba-p/216905) | | | | | Ricoh | | | | | [Ricoh Link](https://www.ricoh.com/info/2021/1215_1/) | | | | | RingCentral | | | | | [RingCentral Security Bulletin](https://www.ringcentral.com/trust-center/security-bulletin.html) | | | | From cc09ef4030d7840169481f7e178fb17dc64c2870 Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 08:50:11 -0500 Subject: [PATCH 38/47] Fix bare urls --- SOFTWARE-LIST.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index df3512e..f2c3a30 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -59,7 +59,7 @@ This list was initially populated using information from the following sources: | Alfresco | | | | | [Alfresco Blog Post](https://hub.alfresco.com/t5/alfresco-content-services-blog/cve-2021-44228-related-to-apache-log4j-security-advisory/ba-p/310717) | | | | | AlienVault | | | | | [AlienVault Article Link](https://success.alienvault.com/s/article/are-USM-Anywhere-or-USM-Central-vulnerable-to-CVE-2021-44228) | | | | | Alphatron Medical | | | | | [Alphatron Medical Website](https://www.alphatronmedical.com/home.html) | | | | -| Amazon | Athena | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | +| Amazon | Athena | | Fixed | | [https://aws.amazon.com/security/security-bulletins/AWS-2021-006/](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | | | Amazon | AWS | Linux 1,2 | Not Affected | No | | Notes: Amazon Linux 1 had aws apitools which were Java based but these were deprecated in 2015 [AWS Forum](https://forums.aws.amazon.com/thread.jspa?threadID=323611). AMIs used to inspect and verify (base spin ups) - amzn-ami-hvm-2018.03.0.20200318.1-x86_64-gp2 and amzn2-ami-kernel-5.10-hvm-2.0.20211201.0-x86_64-gp2 | | 12/15/2021 | | Amazon | AWS API Gateway | All | Fixed | | [Amazon AWS Link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | 12/20/2021 | | Amazon | AWS CloudHSM | < 3.4.1. | Affected | | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-005/) | | | | @@ -76,17 +76,17 @@ This list was initially populated using information from the following sources: | Amazon | AWS ELB | Unknown | Fixed | | [Update for Apache Log4j2 Issue (CVE-2021-44228)](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | 12/16/2021 | | Amazon | AWS Kinesis Data Stream | Unknown | Affected | Yes | [Update for Apache Log4j2 Issue (CVE-2021-44228)](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher) | | 12/14/2021 | | Amazon | AWS Lambda | Unknown | Affected | Yes | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-005/) | | | | -| Amazon | CloudFront | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | -| Amazon | CloudWatch | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | +| Amazon | CloudFront | | Fixed | | [https://aws.amazon.com/security/security-bulletins/AWS-2021-006/](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | | +| Amazon | CloudWatch | | Fixed | | [https://aws.amazon.com/security/security-bulletins/AWS-2021-006/](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | | | Amazon | EC2 | Amazon Linux 1 & 2 | Not Affected | | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | 12/15/2021 | -| Amazon | ELB | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | -| Amazon | KMS | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | +| Amazon | ELB | | Fixed | | [https://aws.amazon.com/security/security-bulletins/AWS-2021-006/](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | | +| Amazon | KMS | | Fixed | | [https://aws.amazon.com/security/security-bulletins/AWS-2021-006/](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | | | Amazon | OpenSearch | Unknown | Affected | Yes | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-005/), [(R20211203-P2)](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | | -| Amazon | RDS | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | -| Amazon | Route 53 | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | -| Amazon | S3 | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | +| Amazon | RDS | | Fixed | | [https://aws.amazon.com/security/security-bulletins/AWS-2021-006/](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | | +| Amazon | Route 53 | | Fixed | | [https://aws.amazon.com/security/security-bulletins/AWS-2021-006/](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | | +| Amazon | S3 | | Fixed | | [https://aws.amazon.com/security/security-bulletins/AWS-2021-006/](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | | | Amazon | Translate | | Not affected | | [Amazon Translate](https://aws.amazon.com/translate/) | Service not identified on [AWS Log4j Security Bulletin](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | -| Amazon | VPC | | Fixed | | https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ | | | | +| Amazon | VPC | | Fixed | | [https://aws.amazon.com/security/security-bulletins/AWS-2021-006/](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | | | AMD | All | | Not Affected | | [AMD Advisory Link](https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1034) | Currently, no AMD products have been identified as affected. AMD is continuing its analysis. | | 12/22/2021 | | Anaconda | Anaconda | 4.10.3 | Not Affected | | [https://docs.conda.io/projects/conda/en/latest/index.html](https://docs.conda.io/projects/conda/en/latest/index.html) | | | 12/21/2021 | | Apache | ActiveMQ Artemis | All | Not Affected | Yes | [ApacheMQ - Update on CVE-2021-4428](https://activemq.apache.org/news/cve-2021-44228) | ActiveMQ Artemis does not use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. [web/console.war/WEB-INF/lib](web/console.war/WEB-INF/lib)). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive. See [ARTEMIS-3612](https://issues.apache.org/jira/browse/ARTEMIS-3612) for more information on that task. | | 12/21/2021 | From ac87f938621584c398f70cfa3eef0ef4926c7830 Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 08:58:20 -0500 Subject: [PATCH 39/47] Fix extra & missing pipes --- SOFTWARE-LIST.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index c55d13b..1ff1326 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2417,9 +2417,9 @@ download | | 12/20/2021 | | Snowflake | | | Not Affected | | [Snowflake Community Link](https://community.snowflake.com/s/article/No-Snowflake-exposure-to-Apache-Log4j-vulnerability-CVE-2021-44228) | | | | | Snyk | Cloud Platform | |Not Affected | | [Snyk Updates](https://updates.snyk.io/snyk%27s-cloud-platform-all-clear-from-log4j-exploits-216499) | | | | | Software AG | | | | | [Software AG](https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849) | | | | -| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) | | For more information, please see the following KB article: [link](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | -| SolarWinds | Orion Platform | Not Affected | | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | | | 12/23/2021 | -| SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | For more information, please see the following KB article for the latest details specific to the SAM hotfix: [link](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | +| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228), [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) | For more information, please see the following KB article: [link](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | +| SolarWinds | Orion Platform | | Not Affected | | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | | | 12/23/2021 | +| SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228), [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | For more information, please see the following KB article for the latest details specific to the SAM hotfix: [link](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | | SonarSource | | | | | [SonarSource](https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721) | | | | | Sonatype | | | | | [Sonatype Vulnerability Statement](https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild) | | | | | SonicWall | Capture Client & Capture Client Portal | | Not Affected | | [Sonic Wall Security Advisory](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Log4j2 not used in the Capture Client. | | 12/12/2021 | From 22346d167663c4464accedfaf994a11e007f7d2b Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Dec 2021 09:54:17 -0500 Subject: [PATCH 40/47] Update input description in the product submission form Update the description for the product version input so that it fully accounts for multiple versions. Co-authored-by: Shane Frasier --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index 37258d7..ebdabe5 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -23,7 +23,7 @@ body: id: product-versions attributes: label: Product version(s) - description: What version(s) of the product are affected? + description: What version(s) of the product is (are) affected? placeholder: v2; 1.5; >3; >=4; >5, <6; etc. validations: required: true From dc94de97432092df829fac8e40793f78c35edd72 Mon Sep 17 00:00:00 2001 From: Maury Cupitt Date: Wed, 29 Dec 2021 10:00:04 -0500 Subject: [PATCH 41/47] Update for Sonatype products --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index b8a02d9..681ce48 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2423,7 +2423,7 @@ download | | 12/20/2021 | | SolarWinds | Orion Platform | | Not Affected | | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | | | 12/23/2021 | | SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228), [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | For more information, please see the following KB article for the latest details specific to the SAM hotfix: [link](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | | SonarSource | | | | | [SonarSource](https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721) | | | | -| Sonatype | | | | | [Sonatype Vulnerability Statement](https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild) | | | | +| Sonatype | All Products | All Versions | Not Affected | N/A | [Sonatype Vulnerability Statement](https://help.sonatype.com/docs/important-announcements/sonatype-product-log4j-vulnerability-status) | Sonatype uses logback as the default logging solution as opposed to log4j. This means our software including Nexus Lifecycle, Nexus Firewall, Nexus Repository OSS and Nexus Repository Pro in versions 2.x and 3.x are NOT affected by the reported log4j vulnerabilities. We still advise keeping your software upgraded at the latest version. | | 12/29/2021 | | SonicWall | Capture Client & Capture Client Portal | | Not Affected | | [Sonic Wall Security Advisory](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Log4j2 not used in the Capture Client. | | 12/12/2021 | | SonicWall | Access Points| | Not Affected | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Log4j2 not used in the SonicWall Access Points | | 12/12/2021 | | SonicWall | Analytics | | Under Investigation | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Under Review | | 12/12/2021 | From 7efc19ee68b0c5ac89bb28d5bc4a7562a2075dbc Mon Sep 17 00:00:00 2001 From: LA100ti <96486988+LA100ti@users.noreply.github.com> Date: Wed, 29 Dec 2021 11:41:07 -0500 Subject: [PATCH 42/47] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index b8a02d9..c128ead 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -1911,7 +1911,7 @@ This list was initially populated using information from the following sources: | ManageEngine Zoho | Analytics Plus | On-Prem | | | [ManageEngine Vulnerability Impact](https://pitstop.manageengine.com/portal/en/community/topic/update-on-the-recent-apache-log4j2-vulnerability-impact-on-manageengine-on-premises-products-1) | | |12/16/2021| | MariaDB | | | | | [MariaDB Statement](https://mariadb.com/resources/blog/log4shell-and-mariadb-cve-2021-44228/) | | | | | MathWorks | All MathWorks general release desktop or server products | | Not Affected | No | [MathWorks statement regarding CVE-2021-44228](https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab-run-time) | | | | -| MathWorks Matlab | | | | | [MathWorks Matlab Statement](https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab-run-time) | | | | +| MathWorks | MATLAB | All | Not Affected | No | [MathWorks MATLAB Statement](https://www.mathworks.com/content/dam/mathworks/policies/mathworks-response-to-cve-2021-44228-log4j-vulnerability.pdf) | | | 12/29/2021 | | Matillion | | | | | [Matillion Security Advisory](https://documentation.matillion.com/docs/security-advisory-14th-december-2021) | | | | | Matomo | | | | | [Matomo Statement](https://forum.matomo.org/t/matomo-is-not-concerned-by-the-log4j-security-breach-cve-2021-44228-discovered-on-december-2021-the-9th/44089) | | | | | Mattermost FocalBoard | | | | | [Mattermost FocalBoard Concern](https://forum.mattermost.org/t/log4j-vulnerability-concern/12676) | | | | From 268ca0cd0ec58d3ffe20c01d7df613aaa35be60c Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 12:50:31 -0500 Subject: [PATCH 43/47] Add back PHOENIX entries --- SOFTWARE-LIST.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 1539ec2..1d08ff2 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -1790,6 +1790,9 @@ This list was initially populated using information from the following sources: | Pexip | | | | | [Pexip Link](https://www.pexip.com/blog1.0/pexip-statement-on-log4j-vulnerability) | | | | | Phenix Id | | | | | [Phenix Id Support Link](https://support.phenixid.se/uncategorized/log4j-fix/) | | | | | Philips | Multiple products | | | | [Philips Security Advisory](https://www.philips.com/a-w/security/security-advisories.html) | | | | +| PHOENIX CONTACT | Physical products containing firmware | | Not Affected | | [PHOENIX CONTACT Advisory Link](https://dam-mdc.phoenixcontact.com/asset/156443151564/1a0f6db6bbc86540bfe4f05fd65877f4/Vulnerability_Statement_Log4J_20211215.pdf) | | | 12/22/2021 | +| PHOENIX CONTACT | Software Products | | Not Affected | | [PHOENIX CONTACT Advisory Link](https://dam-mdc.phoenixcontact.com/asset/156443151564/1a0f6db6bbc86540bfe4f05fd65877f4/Vulnerability_Statement_Log4J_20211215.pdf) | | | 12/22/2021 | +| PHOENIX CONTACT | Cloud Services | | Affected | | [PHOENIX CONTACT Advisory Link](https://dam-mdc.phoenixcontact.com/asset/156443151564/1a0f6db6bbc86540bfe4f05fd65877f4/Vulnerability_Statement_Log4J_20211215.pdf) | Partly affected. Remediations are being implemented. | | 12/22/2021 | | Ping Identity | PingAccess | 4.0 <= version <= 6.3.2 | Affected | Yes | [Log4j2 vulnerability CVE-2021-44228](https://support.pingidentity.com/s/article/Log4j2-vulnerability-CVE-CVE-2021-44228) | | | 2021-12-15 | | Ping Identity | PingCentral | | Affected | Yes | [Log4j2 vulnerability CVE-2021-44228](https://support.pingidentity.com/s/article/Log4j2-vulnerability-CVE-CVE-2021-44228) | | | 2021-12-15 | | Ping Identity | PingFederate | 8.0 <= version <= 10.3.4 | Affected | Yes | [Log4j2 vulnerability CVE-2021-44228](https://support.pingidentity.com/s/article/Log4j2-vulnerability-CVE-CVE-2021-44228) | | | 2021-12-15 | From cd62739d926d6ec3825cc873ebcba732d77ee085 Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 12:54:50 -0500 Subject: [PATCH 44/47] Add spacing & date --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 05eb3ae..e989c48 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2667,7 +2667,7 @@ download | | 12/20/2021 | | UniFlow | | | | | [UniFlow Security Advisory](https://www.uniflow.global/en/security/security-and-maintenance/) | | | | | Unify ATOS | | | | | [Unify ATOS Advisory](https://networks.unify.com/security/advisories/OBSO-2112-01.pdf) | | | | | Unimus | | | | | [Unimus Statement](https://forum.unimus.net/viewtopic.php?f=7&t=1390#top) | | | | -| UiPath |InSights|20.10|Affected|Yes| [UiPath Statement](https://www.uipath.com/legal/trust-and-security/cve-2021-44228) | | | | +| UiPath | InSights | 20.10 | Affected | Yes | [UiPath Statement](https://www.uipath.com/legal/trust-and-security/cve-2021-44228) | | | 12/15/2021 | | USSIGNAL MSP | | | | | [USSIGNAL MSP Statement](https://ussignal.com/blog/apache-log4j-vulnerability) | | | | | VArmour | | | | | [VArmour Statement](https://support.varmour.com/hc/en-us/articles/4416396248717-Log4j2-Emergency-Configuration-Change-for-Critical-Auth-Free-Code-Execution-in-Logging-Utility) | | | | | Varian | Acuity | All | Under Investigation | | [Varian Advisory Link](https://www.varian.com/resources-support/services/cybersecurity-varian/java-log4j-vulnerabilities) | | | 12/22/2021 | From cc683614be38fad0c81884c923af113aa036753a Mon Sep 17 00:00:00 2001 From: iainDe <96153057+iainDe@users.noreply.github.com> Date: Wed, 29 Dec 2021 13:44:55 -0500 Subject: [PATCH 45/47] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index e989c48..5f5ee69 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2355,6 +2355,11 @@ download | | 12/20/2021 | | Seagull Scientific | | | | | [Seagull Scientific Support Link](https://support.seagullscientific.com/hc/en-us/articles/4415794235543-Apache-Log4Shell-Vulnerability) | | | | | SecurePoint | | | | | [SecurePoint News Link](https://www.securepoint.de/news/details/sicherheitsluecke-log4j-securepoint-loesungen-nicht-betroffen.html) | | | | | Security Onion | | | | | [Security Onion Blog Post](https://blog.securityonion.net/2021/12/security-onion-2390-20211210-hotfix-now.html) | | | | +| Securonix | SNYPR Application | Affected | [Securonix Response to CVE-2021-44228: Securonix On-Prem Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-OnPrem-Customer-Update.pdf) | | | 12/10/21 | +| Securonix | Next Gen SIEM | All | Affected | [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | +| Securonix | User and Entity Behavior Analytics(UEBA)| All | Affected| [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | +| Securonix | Security Analytics and Operations Platform (SOAR) | All | Affected| [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | +| Securonix | Extended Detection and Response (XDR) | All | Affected| [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | | Seeburger | | | | | [Seeburger Service Desk Link](https://servicedesk.seeburger.de/portal/en-US/Knowledge/Article/?defId=101040&id=25486312&COMMAND=Open) |This advisory is avaiable to customers only and has not been reviewed by CISA | | | | SentinelOne | | | | | [SentinelOne Blog Post](https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/) | | | | | Sentry | | | | | [Sentry Blog Post](https://blog.sentry.io/2021/12/15/sentrys-response-to-log4j-vulnerability-cve-2021-44228) | | | | From 76f0733ef4dc3e39e9a9944bc76c7f1eb7505f5c Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 13:50:46 -0500 Subject: [PATCH 46/47] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 5f5ee69..1139b54 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2355,12 +2355,12 @@ download | | 12/20/2021 | | Seagull Scientific | | | | | [Seagull Scientific Support Link](https://support.seagullscientific.com/hc/en-us/articles/4415794235543-Apache-Log4Shell-Vulnerability) | | | | | SecurePoint | | | | | [SecurePoint News Link](https://www.securepoint.de/news/details/sicherheitsluecke-log4j-securepoint-loesungen-nicht-betroffen.html) | | | | | Security Onion | | | | | [Security Onion Blog Post](https://blog.securityonion.net/2021/12/security-onion-2390-20211210-hotfix-now.html) | | | | -| Securonix | SNYPR Application | Affected | [Securonix Response to CVE-2021-44228: Securonix On-Prem Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-OnPrem-Customer-Update.pdf) | | | 12/10/21 | -| Securonix | Next Gen SIEM | All | Affected | [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | -| Securonix | User and Entity Behavior Analytics(UEBA)| All | Affected| [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | -| Securonix | Security Analytics and Operations Platform (SOAR) | All | Affected| [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | -| Securonix | Extended Detection and Response (XDR) | All | Affected| [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | -| Seeburger | | | | | [Seeburger Service Desk Link](https://servicedesk.seeburger.de/portal/en-US/Knowledge/Article/?defId=101040&id=25486312&COMMAND=Open) |This advisory is avaiable to customers only and has not been reviewed by CISA | | | +| Securonix | SNYPR Application | | Affected | | [Securonix Response to CVE-2021-44228: Securonix On-Prem Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-OnPrem-Customer-Update.pdf) | | | 12/10/21 | +| Securonix | Next Gen SIEM | All | Affected | | [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | +| Securonix | User and Entity Behavior Analytics(UEBA)| All | Affected | | [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | +| Securonix | Security Analytics and Operations Platform (SOAR) | All | Affected | | [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | +| Securonix | Extended Detection and Response (XDR) | All | Affected | | [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | +| Seeburger | | | | | [Seeburger Service Desk Link](https://servicedesk.seeburger.de/portal/en-US/Knowledge/Article/?defId=101040&id=25486312&COMMAND=Open) | This advisory is avaiable to customers only and has not been reviewed by CISA. | | | | SentinelOne | | | | | [SentinelOne Blog Post](https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/) | | | | | Sentry | | | | | [Sentry Blog Post](https://blog.sentry.io/2021/12/15/sentrys-response-to-log4j-vulnerability-cve-2021-44228) | | | | | SEP | | | | | [SEP Support Link](https://support.sep.de/otrs/public.pl?Action=PublicFAQZoom;ItemID=132) | | | | From e26619023f60715c07a0b13d64c52b8ba47fa35a Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 13:52:11 -0500 Subject: [PATCH 47/47] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 1139b54..ea0f410 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2357,7 +2357,7 @@ download | | 12/20/2021 | | Security Onion | | | | | [Security Onion Blog Post](https://blog.securityonion.net/2021/12/security-onion-2390-20211210-hotfix-now.html) | | | | | Securonix | SNYPR Application | | Affected | | [Securonix Response to CVE-2021-44228: Securonix On-Prem Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-OnPrem-Customer-Update.pdf) | | | 12/10/21 | | Securonix | Next Gen SIEM | All | Affected | | [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | -| Securonix | User and Entity Behavior Analytics(UEBA)| All | Affected | | [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | +| Securonix | User and Entity Behavior Analytics(UEBA) | All | Affected | | [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | | Securonix | Security Analytics and Operations Platform (SOAR) | All | Affected | | [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | | Securonix | Extended Detection and Response (XDR) | All | Affected | | [Securonix Response to CVE-2021-44228: Securonix Cloud Customers](https://www.securonix.com/wp-content/uploads/2021/12/CVE-2021-44228-Securonix-Cloud-Customer-Update.pdf) | Patching ongoing as of 12/10/2021 | | 12/10/21 | | Seeburger | | | | | [Seeburger Service Desk Link](https://servicedesk.seeburger.de/portal/en-US/Knowledge/Article/?defId=101040&id=25486312&COMMAND=Open) | This advisory is avaiable to customers only and has not been reviewed by CISA. | | |