@ -29,107 +29,246 @@ NOTE: This file is automatically generated. To submit updates, please refer to
| 3M Health Information Systems | CGS | | | Unknown | [link](https://support.3mhis.com/app/account/updates/ri/5210) | This advisory is available to customer only and has not been reviewed by CISA. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-15 |
| Accellion | Kiteworks | | v7.6 release | Fixed | [link](https://www.kiteworks.com/kiteworks-news/log4shell-apache-vulnerability-what-kiteworks-customers-need-to-know/) | "As a precaution, Kiteworks released a 7.6.1 Hotfix software update to address the vulnerability. This patch release adds the mitigation for CVE-2021-44228 contained in the Solr package as recommended by Apache Solr group. Specifically, it updates the Log4j library to a non-vulnerable version on CentOS 7 systems as well as adds the recommended option “$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true” to disable the possible attack vector on both CentOS 6 and CentOS 7." | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-16 |
| Abbott | All | | | Unknown | [link](https://www.abbott.com/policies/cybersecurity/apache-Log4j.html) | Details are shared with customers with an active RAP subscription. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-15 |
| Abbott | GLP Track System | Track Sample Manager (TSM), Track Workflow Manager (TWM) | | Affected | [link](https://www.abbott.com/policies/cybersecurity/apache-Log4j.html) | Abbott will provide a fix for this in a future update expected in January 2022. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-15 |
| Abnormal Security | All | | | Not Affected | [link](https://abnormalsecurity.com/blog/attackers-use-email-log4j-vulnerability) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Accellence Technologies | EBÜS | | All | Fixed | [link](https://www.accellence.de/en/articles/cve-2021-44228-62) | EBÜS itself is not vulnerable to CVE-2021-44228. Although it includes several 3rd-party software setups, which may be affected. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Accellion | Kiteworks | | v7.6 release | Fixed | [link](https://www.kiteworks.com/kiteworks-news/log4shell-apache-vulnerability-what-kiteworks-customers-need-to-know/) | As a precaution, Kiteworks released a 7.6.1 Hotfix software update to address the vulnerability. This patch release adds the mitigation for CVE-2021-44228 contained in the Solr package as recommended by Apache Solr group. Specifically, it updates the Log4j library to a non-vulnerable version on CentOS 7 systems as well as adds the recommended option “$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" to disable the possible attack vector on both CentOS 6 and CentOS 7. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-16 |
| Adobe | Experience Manager 6.3 Forms on JEE | | All versions from 6.3 GA to 6.3.3 | Fixed | [link](https://helpx.adobe.com/experience-manager/kb/aem-forms-vulnerability-cve-2021-44228.html) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Adobe | Experience Manager 6.4 Forms on JEE | | All versions from 6.4 GA to 6.4.8 | Fixed | [link](https://helpx.adobe.com/experience-manager/kb/aem-forms-vulnerability-cve-2021-44228.html) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Adobe | Experience Manager 6.5 Forms on JEE | | All versions from 6.5 GA to 6.5.11 | Fixed | [link](https://helpx.adobe.com/experience-manager/kb/aem-forms-vulnerability-cve-2021-44228.html) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Adobe | Experience Manager Forms on OSGi | | | Not Affected | [link](https://helpx.adobe.com/experience-manager/kb/aem-forms-vulnerability-cve-2021-44228.html) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Advanced Systems Concepts (formally Jscape) | Active MFT | | | Unknown | [link](https://support.advsyscon.com/hc/en-us/articles/4413631831569) | This advisory is available to customers only and has not been reviewed by CISA | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Advanced Systems Concepts (formally Jscape) | MFT | | | Unknown | [link](https://support.advsyscon.com/hc/en-us/articles/4413631831569) | This advisory is available to customers only and has not been reviewed by CISA | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Advanced Systems Concepts (formally Jscape) | MFT Gateway | | | Unknown | [link](https://support.advsyscon.com/hc/en-us/articles/4413631831569) | This advisory is available to customers only and has not been reviewed by CISA | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Advanced Systems Concepts (formally Jscape) | MFT Server | | | Unknown | [link](https://support.advsyscon.com/hc/en-us/articles/4413631831569) | This advisory is available to customers only and has not been reviewed by CISA | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Advanced Systems Concepts (formally Jscape) | Active MFT | | | Not Affected | [link](https://support.advsyscon.com/hc/en-us/articles/4413631831569) | This advisory is available to customers only and has not been reviewed by CISA | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Advanced Systems Concepts (formally Jscape) | MFT | | | Not Affected | [link](https://support.advsyscon.com/hc/en-us/articles/4413631831569) | This advisory is available to customers only and has not been reviewed by CISA | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Advanced Systems Concepts (formally Jscape) | MFT Gateway | | | Not Affected | [link](https://support.advsyscon.com/hc/en-us/articles/4413631831569) | This advisory is available to customers only and has not been reviewed by CISA | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Advanced Systems Concepts (formally Jscape) | MFT Server | | | Not Affected | [link](https://support.advsyscon.com/hc/en-us/articles/4413631831569) | This advisory is available to customers only and has not been reviewed by CISA | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| AFHCAN Global LLC | AFHCANcart | | | Not Affected | [link](https://afhcan.org/support.aspx) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| AFHCAN Global LLC | AFHCANmobile | | | Not Affected | [link](https://afhcan.org/support.aspx) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| AFHCAN Global LLC | AFHCANServer | | | Not Affected | [link](https://afhcan.org/support.aspx) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| AFHCAN Global LLC | AFHCANsuite | | | Not Affected | [link](https://afhcan.org/support.aspx) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| AFHCAN Global LLC | AFHCANupdate | | | Not Affected | [link](https://afhcan.org/support.aspx) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| AFHCAN Global LLC | AFHCANweb | | | Not Affected | [link](https://afhcan.org/support.aspx) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Akamai | SIEM Splunk Connector | All | | Affected | [link](https://splunkbase.splunk.com/app/4310/) | v1.4.11 is the new recommendation for mitigation of log4j vulnerabilities | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-15 |
| Amazon | AWS | | | Not Affected | | Notes: Amazon Linux 1 had aws apitools which were Java based but these were deprecated in 2015 [AWS Forum](https://forums.aws.amazon.com/thread.jspa?threadID=323611). AMIs used to inspect and verify (base spin ups) - amzn-ami-hvm-2018.03.0.20200318.1-x86_64-gp2 and amzn2-ami-kernel-5.10-hvm-2.0.20211201.0-x86_64-gp2 | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-15 |
| Amazon | AWS API Gateway | | All | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-20 |
| Amazon | AWS Connect | | All | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Vendors recommend evaluating components of the environment outside of the Amazon Connect service boundary, which may require separate/additional customer mitigation | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-23 |
| Amazon | AWS EKS, ECS, Fargate | Unknown | | Affected | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | To help mitigate the impact of the open-source Apache “Log4j2" utility (CVE-2021-44228 and CVE-2021-45046) security issues on customers’ containers, Amazon EKS, Amazon ECS, and AWS Fargate are deploying a Linux-based update (hot-patch). This hot-patch will require customer opt-in to use, and disables JNDI lookups from the Log4J2 library in customers’ containers. These updates are available as an Amazon Linux package for Amazon ECS customers, as a DaemonSet for Kubernetes users on AWS, and will be in supported AWS Fargate platform versions | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-16 |
| Amazon | AWS Kinesis Data Stream | Unknown | | Affected | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher) | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Amazon | AWS SNS | | Unknown | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Amazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer traffic | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| AMD | All | | | Unknown | [link](https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1034) | Currently, no AMD products have been identified as affected. AMD is continuing its analysis. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-22 |
| Akamai | SIEM Splunk Connector | | < 1.4.10 | Fixed | [link](https://developer.akamai.com/tools/integrations/siem/siem-cef-connector#release-notes) | Akamai SIEM Integration Connector for Splunk is not vulnerable to CVE-2021-44228. Although it includes the vulnerable Log4J component, it is not used by the connector. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-15 |
| Alphatron Medical | JiveX | | | Not Affected | [link](https://www.alphatronmedical.com/product-news/vulnerability-apache-log4j.html) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Alphatron Medical | Zorgbericht | | | Not Affected | [link](https://www.alphatronmedical.com/product-news/vulnerability-apache-log4j.html) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Amazon | AMS | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Work in progress, portion of customers may still be vulnerable. Actively monitoring this issue, and are working on addressing it for any AMS services which use Log4j2. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Amazon | Athena JDBC Driver | | | Not Affected | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | All versions vended to customers were not affected. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-20 |
| Amazon | AWS | | | Not Affected | | Amazon Linux 1 had aws apitools which were Java based but these were deprecated in 2015 [AWS Forum](https://forums.aws.amazon.com/thread.jspa?threadID=323611). AMIs used to inspect and verify (base spin ups) - amzn-ami-hvm-2018.03.0.20200318.1-x86_64-gp2 and amzn2-ami-kernel-5.10-hvm-2.0.20211201.0-x86_64-gp2. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-15 |
| Amazon | AWS ECS | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | To help mitigate the impact of the open-source Apache Log4j2 utility (CVE-2021-44228 and CVE-2021-45046) security issues on customers’ containers, Amazon EKS, Amazon ECS, and AWS Fargate are deploying a Linux-based update (hot-patch). This hot-patch will require customer opt-in to use, and disables JNDI lookups from the Log4J2 library in customers’ containers. These updates are available as an Amazon Linux package for Amazon ECS customers, as a DaemonSet for Kubernetes users on AWS, and will be in supported AWS Fargate platform versions. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-16 |
| Amazon | AWS EKS | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | To help mitigate the impact of the open-source Apache Log4j2 utility (CVE-2021-44228 and CVE-2021-45046) security issues on customers’ containers, Amazon EKS, Amazon ECS, and AWS Fargate are deploying a Linux-based update (hot-patch). This hot-patch will require customer opt-in to use, and disables JNDI lookups from the Log4J2 library in customers’ containers. These updates are available as an Amazon Linux package for Amazon ECS customers, as a DaemonSet for Kubernetes users on AWS, and will be in supported AWS Fargate platform versions. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-16 |
| Amazon | AWS Elastic Beanstalk | | | Not Affected | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Default configuration of applications usage of Log4j versions is not vulnerable. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-17 |
| Amazon | AWS Fargate | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Opt-in hot-patch to mitigate the Log4j issue in JVM layer will be available as platform versions. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-16 |
| Amazon | AWS Glue | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Has been updated. Vulnerable only if ETL jobs load affected versions of Apache Log4j. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-16 |
| Amazon | AWS Greengrass | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Updates for all Greengrass V2 components Stream Manager (2.0.14) and Secure Tunneling (1.0.6) are available. For Greengrass versions 1.10.x and 1.11.x, an update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-16 |
| Amazon | AWS IoT SiteWise Edge | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Updates for all AWS IoT SiteWise Edge components that use Log4j were made available; OPC-UA collector (v2.0.3), Data processing pack (v2.0.14), and Publisher (v2.0.2). | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-17 |
| Amazon | AWS Kinesis Data Streams | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher). KCL 2.x, KCL 1.14.5 or higher, and KPL are not vulnerable. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Amazon | AWS SNS | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Amazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer traffic. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Amazon | Chime | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Amazon Chime and Chime SDK services have been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Amazon | Corretto | | | Not Affected | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | 10/19 release distribution does not include Log4j. Vulnerable only if customers applications use affected versions of Apache Log4j. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Amazon | EC2 | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Packages for Amazon Linux 1 and 2 not affected, package for Amazon Linux 2022 is affected. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-15 |
| Amazon | ECR Public | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Amazon-owned images published under a Verified Account on Amazon ECR Public are not affected by the Log4j issue. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-15 |
| Amazon | Elastic Load Balancing | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Services have been updated. All Elastic Load Balancers, as well as Classic, Application, Network and Gateway, are not affected by this Log4j issue. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-15 |
| Amazon | EMR | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Many customers are estimated to be vulnerable. Vulnerable only if affected EMR releases are used and untrusted sources are configured to be processed. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Amazon | Kafka (MSK) | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Applying updates as required, portion of customers may still be vulnerable. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where needed. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Amazon | Lake Formation | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Update in progress, portion of customers may still be vulnerable. AWS Lake Formation service hosts are being updated to the latest version of Log4j. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Amazon | Linux (AL1) | | | Not Affected | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | By default not vulnerable. Opt-in hot-patch to mitigate the Log4j in JVM layer issue is available. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Amazon | Linux (AL2) | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | By default not vulnerable, and a new version of Amazon Kinesis Agent which is part of AL2 addresses the Log4j issue. Opt-in hot-patch to mitigate the Log4j issue in JVM layer is available. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Amazon | SageMaker | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Completed patching for the Apache Log4j2 issue (CVE-2021-44228). Vulnerable only if customers applications use affected versions of Apache Log4j. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Amazon | Simple Notification Service (SNS) | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Systems that serve customer traffic are patched against the Log4j2 issue. Working to apply the patch to sub-systems that operate separately from SNSs systems that serve customer traffic. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Amazon | WorkSpaces/AppStream 2.0 | | | Fixed | [link](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | Not affected with default configurations. WorkDocs Sync client versions 1.2.895.1 and older within Windows WorkSpaces, which contain the Log4j component, are vulnerable; For update instruction, see source for more info. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| AMD | All | | | Not Affected | [link](https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1034) | Currently, no AMD products have been identified as affected. AMD is continuing its analysis. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-22 |
| Anaconda | All | | | Not Affected | [link](https://docs.conda.io/projects/conda/en/latest/index.html) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-21 |
| AOMEI | All | | | Not Affected | [link](https://www.aomeitech.com/forum/index.php?p=/discussion/7651/aomei-and-log4j) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-21 |
| Apache | ActiveMQ Artemis | | | Not Affected | [link](https://activemq.apache.org/news/cve-2021-44228) | ActiveMQ Artemis does not use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. [web/console.war/WEB-INF/lib](web/console.war/WEB-INF/lib)). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive. See [ARTEMIS-3612](https://issues.apache.org/jira/browse/ARTEMIS-3612) for more information on that task. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-21 |
| Apache | Airflow | | | Unknown | [link](https://github.com/apache/airflow/tree/main/airflow) | Airflow is written in Python | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Apache | Camel | 3.14.1.3.11.5, 3.7.7 | | Affected | [link](https://camel.apache.org/blog/2021/12/log4j2/) | Apache Camel does not directly depend on Log4j 2, so we are not affected by CVE-2021-44228.If you explicitly added the Log4j 2 dependency to your own applications, make sure to upgrade.Apache Camel does use log4j during testing itself, and therefore you can find that we have been using log4j v2.13.3 release in our latest LTS releases Camel 3.7.6, 3.11.4. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-13 |
| Apache | Camel | | | Not Affected | [link](https://camel.apache.org/blog/2021/12/log4j2/) | Apache Camel does not directly depend on Log4j 2, so we are not affected by CVE-2021-44228.If you explicitly added the Log4j 2 dependency to your own applications, make sure to upgrade.Apache Camel does use log4j during testing itself, and therefore you can find that we have been using log4j v2.13.3 release in our latest LTS releases Camel 3.7.6, 3.11.4. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-13 |
| Apache | Camel Karaf | | | Unknown | [link](https://camel.apache.org/blog/2021/12/log4j2/) | The Karaf team is aware of this and are working on a new Karaf 4.3.4 release with updated log4j. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-13 |
| Apache | Flink | | < 1.14.2, 1.13.5, 1.12.7, 1.11.6 | Fixed | [link](https://flink.apache.org/2021/12/10/log4j-cve.html) | To clarify and avoid confusion: The 1.14.1 / 1.13.4 / 1.12.6 / 1.11.5 releases, which were supposed to only contain a Log4j upgrade to 2.15.0, were skipped because CVE-2021-45046 was discovered during the release publication. The new 1.14.2 / 1.13.5 / 1.12.7 / 1.11.6 releases include a version upgrade for Log4j to version 2.16.0 to address CVE-2021-44228 and CVE-2021-45046. | [https://flink.apache.org/news/2021/12/16/log4j-patch-releases.html](https://flink.apache.org/news/2021/12/16/log4j-patch-releases.html) | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-12 |
| Apache | Kafka | | | Not Affected | [link](https://kafka.apache.org/cve-list) | The current DB lists Apache Kafka as impacted. Apache Kafka uses Log4jv1, not v2. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Apache | Kafka | Unknown | | Affected | [link](https://logging.apache.org/log4j/2.x/security.html) | Only vulnerable in certain configuration(s) | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Apache | Solr | | 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 | Fixed | [link](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) | Update to 8.11.1 or apply fixes as described in Solr security advisory | [Apache Solr 8.11.1 downloads](https://solr.apache.org/downloads.html) | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-16 |
| Apache | Struts 2 | Versions before 2.5.28.1 | | Affected | [link](https://struts.apache.org/announce-2021) | The Apache Struts group is pleased to announce that Struts 2.5.28.1 is available as a “General Availability” release. The GA designation is our highest quality grade. This release addresses Log4j vulnerability CVE-2021-45046 by using the latest Log4j 2.12.2 version (Java 1.7 compatible). | [Apache Struts Release Downloads](https://struts.apache.org/download.cgi#struts-ga) | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-21 |
| Apache | Tomcat | 9.0.x | | Affected | [link](https://tomcat.apache.org/security-9.html) | Apache Tomcat 9.0.x has no dependency on any version of log4j. Web applications deployed on Apache Tomcat may have a dependency on log4j. You should seek support from the application vendor in this instance. It is possible to configure Apache Tomcat 9.0.x to use log4j 2.x for Tomcat's internal logging. This requires explicit configuration and the addition of the log4j 2.x library. Anyone who has switched Tomcat's internal logging to log4j 2.x is likely to need to address this vulnerability. In most cases, disabling the problematic feature will be the simplest solution. Exactly how to do that depends on the exact version of log4j 2.x being used. Details are provided on the [log4j 2.x security page](https://logging.apache.org/log4j/2.x/security.html) | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-21 |
| Apache | Camel K | | | Not Affected | [link](https://camel.apache.org/blog/2021/12/log4j2/) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-13 |
| Apache | Camel Karaf | | | Affected | [link](https://camel.apache.org/blog/2021/12/log4j2/) | The Karaf team is aware of this and are working on a new Karaf 4.3.4 release with updated log4j. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-13 |
| Apache | Flink | | 1.15.0, 1.14.2, 1.13.5, 1.12.7, 1.11.6 | Fixed | [link](https://flink.apache.org/2021/12/10/log4j-cve.html) | To clarify and avoid confusion, the 1.14.1 / 1.13.4 / 1.12.6 / 1.11.5 releases, which were supposed to only contain a Log4j upgrade to 2.15.0, were skipped because CVE-2021-45046 was discovered during the release publication. The new 1.14.2 / 1.13.5 / 1.12.7 / 1.11.6 releases include a version upgrade for Log4j to version 2.16.0 to address CVE-2021-44228 and CVE-2021-45046. | [https://flink.apache.org/news/2021/12/16/log4j-patch-releases.html](https://flink.apache.org/news/2021/12/16/log4j-patch-releases.html) | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-12 |
| Apache | SOLR | | 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 | Fixed | [link](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) | Fixed in 8.11.1, Versions before 7.4 also vulnerable when using several configurations. | [Apache Solr 8.11.1 downloads](https://solr.apache.org/downloads.html) | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-16 |
| Apache | Struts 2 | | Versions before 2.5.28.1 | Fixed | [link](https://struts.apache.org/announce-2021) | The Apache Struts group is pleased to announce that Struts 2.5.28.1 is available as a General Availability release. The GA designation is our highest quality grade. This release addresses Log4j vulnerability CVE-2021-45046 by using the latest Log4j 2.12.2 version (Java 1.7 compatible). | [Apache Struts Release Downloads](https://struts.apache.org/download.cgi#struts-ga) | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-21 |
| Apache | Tika | 2.0.0 and up | | Affected | [link](https://blogs.apache.org/security/entry/cve-2021-44228) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Apache | Tomcat | | | Unknown | [link](https://tomcat.apache.org/security-9.html) | Apache Tomcat 9.0.x has no dependency on any version of log4j. Web applications deployed on Apache Tomcat may have a dependency on log4j. You should seek support from the application vendor in this instance. It is possible to configure Apache Tomcat 9.0.x to use log4j 2.x for Tomcats internal logging. This requires explicit configuration and the addition of the log4j 2.x library. Anyone who has switched Tomcats internal logging to log4j 2.x is likely to need to address this vulnerability. In most cases, disabling the problematic feature will be the simplest solution. Exactly how to do that depends on the exact version of log4j 2.x being used. Details are provided on the [log4j 2.x security page](https://logging.apache.org/log4j/2.x/security.html) | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-21 |
| Apereo | CAS | | 6.3.x, 6.4.x | Fixed | [link](https://apereo.github.io/2021/12/11/log4j-vuln/) | Other versions still in active maintainance might need manual inspection. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Bamboo Server & Data Center | | | Not Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product may be affected by a related but lower severity vulnerability if running in a specific non-default configuration. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Bitbucket Server & Data Center | All | | Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product is not vulnerable to remote code execution but may leak information due to the bundled Elasticsearch component being vulnerable. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Confluence Server & Data Center | | | Not Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product may be affected by a related but lower severity vulnerability if running in a specific non-default configuration. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Crowd Server & Data Center | | | Not Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product may be affected by a related but lower severity vulnerability if running in a specific non-default configuration. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Crucible | | | Not Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product may be affected by a related but lower severity vulnerability if running in a specific non-default configuration. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Fisheye | | | Not Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product may be affected by a related but lower severity vulnerability if running in a specific non-default configuration. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Jira Server & Data Center | | | Not Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product may be affected by a related but lower severity vulnerability if running in a specific non-default configuration. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atera | All | | | Unknown | [link](https://www.reddit.com/r/atera/comments/rh7xb1/apache_log4j_2_security_advisory_update/) | | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Bamboo Server & Data Center | On Prem | | Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | Only vulnerable when using non-default config, cloud version fixed. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Bitbucket Server & Data Center | | On prem | Fixed | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product is not vulnerable to remote code execution but may leak information due to the bundled Elasticsearch component being vulnerable. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Confluence Server & Data Center | On prem | | Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | Only vulnerable when using non-default config, cloud version fixed. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Crowd Server & Data Center | On prem | | Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product may be affected by a related but lower severity vulnerability if running in a specific non-default configuration. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Crucible | On prem | | Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product may be affected by a related but lower severity vulnerability if running in a specific non-default configuration. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Fisheye | On prem | | Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product may be affected by a related but lower severity vulnerability if running in a specific non-default configuration. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atlassian | Jira Server & Data Center | On prem | | Affected | [link](https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html) | This product may be affected by a related but lower severity vulnerability if running in a specific non-default configuration. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Atvise | All | | | Not Affected | [link](https://www.atvise.com/en/articles/at-log4j-sicherheitsluecke-atvise-produkte-und-terminals-nicht-betroffen) | The security vulnerability does NOT affect our applications and products or pose any threat. This applies to all Bachmann applications and products, including atvise solutions. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-17 |
| Autodesk | | | | Unknown | [link](https://knowledge.autodesk.com/support/autocad/troubleshooting/caas/sfdcarticles/sfdcarticles/CVE-2021-44228.html) | Autodesk is continuing to perform a thorough investigation in relation to the recently discovered Apache Log4j security vulnerabilities. We continue to implement several mitigating factors for our products including patching, network firewall blocks, and updated detection signatures to reduce the threat of this vulnerability and enhance our ability to quickly respond to potential malicious activity. We have not identified any compromised systems in the Autodesk environment due to this vulnerability, at this time. This is an ongoing investigation and we will provide updates on the [Autodesk Trust Center as we learn more](https://www.autodesk.com/trust/overview). | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-21 |
| Autodesk | All | | | Unknown | [link](https://knowledge.autodesk.com/support/autocad/troubleshooting/caas/sfdcarticles/sfdcarticles/CVE-2021-44228.html) | Autodesk is continuing to perform a thorough investigation in relation to the recently discovered Apache Log4j security vulnerabilities. We continue to implement several mitigating factors for our products including patching, network firewall blocks, and updated detection signatures to reduce the threat of this vulnerability and enhance our ability to quickly respond to potential malicious activity. We have not identified any compromised systems in the Autodesk environment due to this vulnerability, at this time. This is an ongoing investigation and we will provide updates on the [Autodesk Trust Center as we learn more](https://www.autodesk.com/trust/overview). | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-21 |
| Automation Anywhere | Automation 360 Cloud | | | Fixed | [link](https://apeople.automationanywhere.com/s/login/?language=en_US&startURL=%2Fs%2Farticle%2FA360-Cloud-Zero-day-in-the-Log4j-Java-library&ec=302) | This advisory is available to customer only and has not been reviewed by CISA. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Automation Anywhere | Automation 360 On Premise | | | Fixed | [link](https://apeople.automationanywhere.com/s/login/?language=en_US&startURL=%2Fs%2Farticle%2FA360-Cloud-Zero-day-in-the-Log4j-Java-library&ec=302) | This advisory is available to customer only and has not been reviewed by CISA. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Automation Anywhere | Automation Anywhere | | 11.x, <11.3x | Fixed | [link](https://apeople.automationanywhere.com/s/login/?language=en_US&startURL=%2Fs%2Farticle%2FA360-Cloud-Zero-day-in-the-Log4j-Java-library&ec=302) | This advisory is available to customer only and has not been reviewed by CISA. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2022-01-12 |
| Avaya | Avaya Aura for OneCloud Private | | | Unknown | [link](https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609) | Avaya is scanning and monitoring its OneCloud Private environments as part of its management activities. Avaya will continue to monitor this fluid situation and remediations will be made as patches become available, in accordance with appropriate change processes. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
| Avaya | Avaya Aura for OneCloud Private | | | Affected | [link](https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609) | Avaya is scanning and monitoring its OneCloud Private environments as part of its management activities. Avaya will continue to monitor this fluid situation and remediations will be made as patches become available, in accordance with appropriate change processes. | | [cisagov](https://github.com/cisagov/log4j-affected-db) | 2021-12-14 |
cisagovbot
2 years ago