mirror of
https://github.com/cisagov/log4j-affected-db.git
synced 2024-11-22 16:40:48 +00:00
Update contents to pass pre-commit hooks
This commit is contained in:
parent
4e79802a04
commit
42663be1d0
3 changed files with 63 additions and 59 deletions
|
@ -1,35 +1,27 @@
|
||||||
---
|
---
|
||||||
name: Product Submission Template
|
name: Product Submission Template
|
||||||
about: Template for product submissions of all publicly available information and
|
about: Template for product submissions of all publicly available information
|
||||||
vendor-supplied advisories regarding the log4j vulnerability.
|
and vendor-supplied advisories regarding the log4j vulnerability.
|
||||||
title: ''
|
|
||||||
labels: ''
|
|
||||||
assignees: ''
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
# Submission Template #
|
||||||
---
|
|
||||||
name: Software Product Submission Template
|
|
||||||
about: Schema for product submission for log4j vulnerability.
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
# Submission Template
|
|
||||||
|
|
||||||
Please provide the following information.
|
Please provide the following information.
|
||||||
|
|
||||||
- Vendor Name
|
- Vendor Name
|
||||||
- Product Name
|
- Product Name
|
||||||
- Version(s) affected
|
- Version(s) affected
|
||||||
- Status: Please choose from one of the following (Unknown/Affected/Not Affected/Fixed/Under Investigation).
|
- Status: Please choose from one of the following - Unknown, Affected,
|
||||||
- Update Available: Yes or No (If Yes, please provide link to information)
|
Not Affected, Fixed, and Under Investigation.
|
||||||
|
- Update Available: Yes or No (If Yes, please provide link to information)
|
||||||
- Notes
|
- Notes
|
||||||
- References
|
- References
|
||||||
- Last Updated: Date of last update
|
- Last Updated: Date of last update
|
||||||
|
|
||||||
For questions about choice for status, please see the information below.
|
For questions about choice for status, please see the information below.
|
||||||
- Unknown - Status unknown. Default choice.
|
|
||||||
|
- Unknown - Status unknown. Default choice.
|
||||||
- Affected - Reported to be affected by CVE-2021-44228.
|
- Affected - Reported to be affected by CVE-2021-44228.
|
||||||
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further action necessary.
|
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further
|
||||||
|
action necessary.
|
||||||
- Fixed - Patch and/or mitigations available (see provided links).
|
- Fixed - Patch and/or mitigations available (see provided links).
|
||||||
- Under Investigation - Vendor investigating status.
|
- Under Investigation - Vendor investigating status.
|
||||||
|
|
1
.github/SECURITY.md
vendored
1
.github/SECURITY.md
vendored
|
@ -1 +0,0 @@
|
||||||
|
|
77
README.md
77
README.md
|
@ -1,46 +1,60 @@
|
||||||
# CISA Log4j (CVE-2021-44228) Vulnerability Guidance
|
# CISA Log4j (CVE-2021-44228) Vulnerability Guidance #
|
||||||
|
|
||||||
|
This repository provides CISA's guidance and an overview of related software
|
||||||
|
regarding the Log4j vulnerability (CVE-2021-44228). CISA encourages users and
|
||||||
|
administrators to review the
|
||||||
|
[official Apache release](https://logging.apache.org/log4j/2.x/security.html)
|
||||||
|
and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.
|
||||||
|
|
||||||
|
## Official CISA Guidance & Resources ##
|
||||||
|
|
||||||
|
- [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
|
||||||
|
- [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).
|
||||||
|
|
||||||
|
## CISA Current Activity Alerts ##
|
||||||
|
|
||||||
|
- [Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce)
|
||||||
|
- [CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228)
|
||||||
|
|
||||||
This repository provides CISA's guidance and an overview of related software regarding the Log4j vulnerability (CVE-2021-44228). CISA encourages users and administrators to review the [official Apache release](https://logging.apache.org/log4j/2.x/security.html) and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.
|
|
||||||
</br>
|
|
||||||
</br>
|
|
||||||
**Official CISA Guidance & Resources:**
|
|
||||||
</br>
|
|
||||||
Webpage: [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
|
|
||||||
</br>
|
|
||||||
CISA Director Jen Easterly's Statement: [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).
|
|
||||||
</br> CISA Current Activity Alerts:
|
|
||||||
</br>
|
|
||||||
[Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce)
|
|
||||||
</br>
|
|
||||||
[CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228)
|
|
||||||
</br>
|
|
||||||
National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
|
National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
|
||||||
</br>
|
|
||||||
</br>
|
|
||||||
CISA will maintain a list of all publicly available information and vendor-supplied advisories regarding the Log4j vulnerability. This list is not a full list and will be updated continuously. If you have any additional information to share relevant to the Log4j vulnerability, please feel free to open an issue [here](https://github.com/cisagov/log4j-affected-db/issues). We have a template available for your submission. Please also feel free to submit a pull request.
|
|
||||||
|
|
||||||
# Mitigation Guidance
|
CISA will maintain a list of all publicly available information and
|
||||||
CISA urges organizations operating products marked as "Fixed" to immediately implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance).
|
vendor-supplied advisories regarding the Log4j vulnerability. This list is not
|
||||||
|
a full list and will be updated continuously. If you have any additional
|
||||||
|
information to share relevant to the Log4j vulnerability, please feel free to
|
||||||
|
open an issue [here](https://github.com/cisagov/log4j-affected-db/issues). We
|
||||||
|
have a template available for your submission. Please also feel free to submit
|
||||||
|
a pull request.
|
||||||
|
|
||||||
CISA urges organizations operating products marked as "Not Fixed" to immediately implement alternate controls, including:
|
## Mitigation Guidance ##
|
||||||
* Install a WAF with rules that automatically update.
|
|
||||||
* Set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application.
|
|
||||||
* Ensure that any alerts from a vulnerable device are immediately actioned.
|
|
||||||
* Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report).
|
|
||||||
|
|
||||||
# Status Descriptions
|
CISA urges organizations operating products marked as "Fixed" to immediately
|
||||||
|
implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance).
|
||||||
|
|
||||||
|
CISA urges organizations operating products marked as "Not Fixed" to immediately
|
||||||
|
implement alternate controls, including:
|
||||||
|
|
||||||
|
- Install a WAF with rules that automatically update.
|
||||||
|
- Set `log4j2.formatMsgNoLookups` to true by adding `-Dlog4j2.formatMsgNoLookups=True`
|
||||||
|
to the Java Virtual Machine command for starting your application.
|
||||||
|
- Ensure that any alerts from a vulnerable device are immediately actioned.
|
||||||
|
- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report).
|
||||||
|
|
||||||
|
## Status Descriptions ##
|
||||||
|
|
||||||
|Status| Description |
|
|Status| Description |
|
||||||
|------|-------------|
|
|------|-------------|
|
||||||
| Unknown | Status unknown. Default choice. |
|
| Unknown | Status unknown. Default choice. |
|
||||||
| Affected| Reported to be affected by CVE-2021-44228. |
|
| Affected| Reported to be affected by CVE-2021-44228. |
|
||||||
| Not Affected | Reported to NOT be affected by CVE-2021-44228 and no further action necessary. |
|
| Not Affected | Reported to NOT be affected by CVE-2021-44228 and no further action necessary. |
|
||||||
| Fixed | Patch and/or mitigations available (see provided links). |
|
| Fixed | Patch and/or mitigations available (see provided links). |
|
||||||
| Under Investigation | Vendor investigating status. |
|
| Under Investigation | Vendor investigating status. |
|
||||||
|
|
||||||
# Software List
|
## Software List ##
|
||||||
|
|
||||||
This list was initially populated using information from the following sources: Kevin Beaumont.
|
This list was initially populated using information from the following sources:
|
||||||
|
|
||||||
|
- Kevin Beaumont
|
||||||
|
|
||||||
| Vendor | Product| Version(s)| Status| Update available| Vendor link | Notes | Other References | Last Updated |
|
| Vendor | Product| Version(s)| Status| Update available| Vendor link | Notes | Other References | Last Updated |
|
||||||
| ------ | -------------------- | ---- | ----- | --------------- | ----------- | ----- | ---------------- | ------------ |
|
| ------ | -------------------- | ---- | ----- | --------------- | ----------- | ----- | ---------------- | ------------ |
|
||||||
|
@ -488,7 +502,7 @@ This list was initially populated using information from the following sources:
|
||||||
| SonicWall | CAS | | Under Investigation | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Under Review | | 12/12/2021 |
|
| SonicWall | CAS | | Under Investigation | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Under Review | | 12/12/2021 |
|
||||||
| SonicWall | WAF | | Under Investigation | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Under Review | | 12/12/2021 |
|
| SonicWall | WAF | | Under Investigation | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Under Review | | 12/12/2021 |
|
||||||
| Sophos | Sophos Mobile EAS Proxy | < 9.7.2 | Affected | No | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | The Sophos Mobile EAS Proxy, running in Traffic Mode, is affected. Customers will need to download and install version 9.7.2, available from Monday December 13, 2021, on the same machine where it is currently running. PowerShell mode is not affected. Customers can download the Standalone EAS Proxy Installer version 9.7.2 from the Sophos website. | | 12/12/2021 |
|
| Sophos | Sophos Mobile EAS Proxy | < 9.7.2 | Affected | No | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | The Sophos Mobile EAS Proxy, running in Traffic Mode, is affected. Customers will need to download and install version 9.7.2, available from Monday December 13, 2021, on the same machine where it is currently running. PowerShell mode is not affected. Customers can download the Standalone EAS Proxy Installer version 9.7.2 from the Sophos website. | | 12/12/2021 |
|
||||||
| Sophos | Cloud Optix | | Fixed | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | Users may have noticed a brief outage around 12:30 GMT as updates were deployed.<br>There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted. | | 12/12/2021 |
|
| Sophos | Cloud Optix | | Fixed | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | Users may have noticed a brief outage around 12:30 GMT as updates were deployed. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted. | | 12/12/2021 |
|
||||||
| Sophos | Sophos Firewall (all versions) | | Not Affected | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | Sophos Firewall does not use Log4j. | | 12/12/2021 |
|
| Sophos | Sophos Firewall (all versions) | | Not Affected | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | Sophos Firewall does not use Log4j. | | 12/12/2021 |
|
||||||
| Sophos | SG UTM (all versions) | | Not Affected | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | Sophos SG UTM does not use Log4j. | | 12/12/2021 |
|
| Sophos | SG UTM (all versions) | | Not Affected | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | Sophos SG UTM does not use Log4j. | | 12/12/2021 |
|
||||||
| Sophos | SG UTM Manager (SUM) (all versions) | All versions | Not Affected | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | SUM does not use Log4j. | | 12/12/2021 |
|
| Sophos | SG UTM Manager (SUM) (all versions) | All versions | Not Affected | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | SUM does not use Log4j. | | 12/12/2021 |
|
||||||
|
@ -548,4 +562,3 @@ This list was initially populated using information from the following sources:
|
||||||
| VMware | VMware Workspace ONE Access Connector (VMware Identity Manager Connector) | 21.x, 20.10.x, 19.03.0.1 | Affected | No | [VMSA-2021-0028.1 (vmware.com)](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) | | | 12/12/2021 |
|
| VMware | VMware Workspace ONE Access Connector (VMware Identity Manager Connector) | 21.x, 20.10.x, 19.03.0.1 | Affected | No | [VMSA-2021-0028.1 (vmware.com)](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) | | | 12/12/2021 |
|
||||||
| VMware | VMware Horizon DaaS | 9.1.x, 9.0.x | Affected | No | [VMSA-2021-0028.1 (vmware.com)](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) | | | 12/12/2021 |
|
| VMware | VMware Horizon DaaS | 9.1.x, 9.0.x | Affected | No | [VMSA-2021-0028.1 (vmware.com)](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) | | | 12/12/2021 |
|
||||||
| VMware | VMware Horizon Cloud Connector | 1.x, 2.x | Affected | Yes | [VMSA-2021-0028.1 (vmware.com)](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) | | | 12/12/2021 |
|
| VMware | VMware Horizon Cloud Connector | 1.x, 2.x | Affected | Yes | [VMSA-2021-0028.1 (vmware.com)](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) | | | 12/12/2021 |
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue