Merge branch 'develop' into patch-1

2 years ago · 604dd79f3e
parent 3d25dbde6b c6451fbb46
commit 604dd79f3e
4 changed files with 171 additions and 31 deletions
--- a/.github/ISSUE_TEMPLATE/product-submission-form.yml
+++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml
@ -0,0 +1,82 @@
+---
+name: Submit a Product
+description: Submit a product to the database
+title: "[Product Submission]: <vendor> - <product>"
+body:
+  - type: input
+    id: product-vendor
+    attributes:
+      label: Product vendor
+      description: Who is the vendor for the product?
+      placeholder: Cisco, Dell, IBM, etc.
+    validations:
+      required: true
+  - type: input
+    id: product-name
+    attributes:
+      label: Product name
+      description: What is the name of the product?
+      placeholder: AppDynamics, BigFix Inventory, Centera, etc.
+    validations:
+      required: true
+  - type: input
+    id: product-versions
+    attributes:
+      label: Product version(s)
+      description: What version(s) of the product is (are) affected?
+      placeholder: v2; 1.5; >3; >=4; >5, <6; etc.
+    validations:
+      required: true
+  - type: dropdown
+    id: product-status
+    attributes:
+      label: Product status
+      description: What is the current status of the affected product?
+      options:
+        - Unknown
+        - Affected
+        - Not Affected
+        - Fixed
+        - Under Investigation
+    validations:
+      required: true
+  - type: markdown
+    attributes:
+      value: |
+        Please use the information below when selecting a status.
+
+        - Unknown - Status unknown. Default choice.
+        - Affected - Reported to be affected by CVE-2021-44228.
+        - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no
+          further action necessary.
+        - Fixed - Patch and/or mitigations available (see provided links).
+        - Under Investigation - Vendor investigating status.
+  - type: dropdown
+    id: product-updated
+    attributes:
+      label: Product update
+      description: Is there an update available for the product?
+      options:
+        - Available
+        - Not Available
+    validations:
+      required: true
+  - type: input
+    id: product-update-link
+    attributes:
+      label: Product update link
+      description: Where can the update be found, if one is available?
+  - type: input
+    id: product-last-updated
+    attributes:
+      label: Last updated
+      description: When was the product last updated?
+      placeholder: "2021-12-06"
+  - type: textarea
+    id: product-notes
+    attributes:
+      label: Notes
+  - type: textarea
+    id: product-references
+    attributes:
+      label: References
--- a/.github/ISSUE_TEMPLATE/product-submission-template.md
+++ b/.github/ISSUE_TEMPLATE/product-submission-template.md
@ -1,27 +0,0 @@
---
-name: Product Submission Template
-about: Template for product submissions of all publicly available information
-  and vendor-supplied advisories regarding the log4j vulnerability.
---
-# Submission Template #
-
-Please provide the following information.
-
- Vendor Name
- Product Name
- Version(s) affected
- Status: Please choose from one of the following - Unknown, Affected,
-  Not Affected, Fixed, and Under Investigation.
- Update Available: Yes or No (If Yes, please provide link to information)
- Notes
- References
- Last Updated: Date of last update
-
-For questions about choice for status, please see the information below.
-
- Unknown - Status unknown. Default choice.
- Affected - Reported to be affected by CVE-2021-44228.
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further
-  action necessary.
- Fixed - Patch and/or mitigations available (see provided links).
- Under Investigation - Vendor investigating status.
--- a/.github/ISSUE_TEMPLATE/product-update-form.yml
+++ b/.github/ISSUE_TEMPLATE/product-update-form.yml
@ -0,0 +1,80 @@
+---
+name: Update a Product
+description: Update information about a product in the database
+title: "[Product Update]: <vendor> - <product>"
+body:
+  - type: input
+    id: product-vendor
+    attributes:
+      label: Product vendor
+      description: Who is the vendor for the product?
+      placeholder: Cisco, Dell, IBM, etc.
+    validations:
+      required: true
+  - type: input
+    id: product-name
+    attributes:
+      label: Product name
+      description: What is the name of the product?
+      placeholder: AppDynamics, BigFix Inventory, Centera, etc.
+    validations:
+      required: true
+  - type: textarea
+    id: update-context
+    attributes:
+      label: Context
+      description: Please provide context around the update.
+  - type: input
+    id: product-versions
+    attributes:
+      label: Product version(s)
+      description: What version(s) of the product are affected?
+  - type: dropdown
+    id: product-status
+    attributes:
+      label: Product status
+      description: What is the current status of the affected product?
+      options:
+        - Unknown
+        - Affected
+        - Not Affected
+        - Fixed
+        - Under Investigation
+  - type: markdown
+    attributes:
+      value: |
+        Please use the information below when selecting a status.
+
+        - Unknown - Status unknown. Default choice.
+        - Affected - Reported to be affected by CVE-2021-44228.
+        - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no
+          further action necessary.
+        - Fixed - Patch and/or mitigations available (see provided links).
+        - Under Investigation - Vendor investigating status.
+  - type: dropdown
+    id: product-updated
+    attributes:
+      label: Product update
+      description: Is there an update available for the product?
+      options:
+        - Available
+        - Not Available
+  - type: input
+    id: product-update-link
+    attributes:
+      label: Product update link
+      description: Where can the update be found, if one is available?
+  - type: input
+    id: product-last-updated
+    attributes:
+      label: Last updated
+      description: When was the product last updated?
+      placeholder: "2021-12-06"
+  - type: textarea
+    id: product-notes
+    attributes:
+      label: Notes
+  - type: textarea
+    id: product-references
+    attributes:
+      label: References
--- a/SOFTWARE-LIST.md
+++ b/SOFTWARE-LIST.md
@ -365,6 +365,7 @@ This list was initially populated using information from the following sources:
 | Check Point | ThreatCloud | | Not Affected | | [sk176865](https://supportcontent.checkpoint.com/solutions?id=sk176865) | | | |
 | CheckMK | | | | | [CheckMK Forum](https://forum.checkmk.com/t/checkmk-not-affected-by-log4shell/28643/3) | | | |
 | Ciphermail | | | | | [Ciphermail Blog Post](https://www.ciphermail.com/blog/ciphermail-gateway-and-webmail-messenger-are-not-vulnerable-to-cve-2021-44228.html) | | | |
+| CircleCI | CircleCI | | Not affected | | [CircleCI / Log4j Information CVE-2021-44228](https://discuss.circleci.com/t/circleci-log4j-information-cve-2021-4422) | | | 12/21/2021 |
 | CIS | | | | | [CIS Customer Portal](https://cisecurity.atlassian.net/servicedesk/customer/portal/15/article/2434301961) | | | |
 | Cisco | AppDynamics | | Affected | Yes | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | |
 | Cisco | Cisco Common Services Platform Collector | | Under Investigation | | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | |
@ -1298,6 +1299,7 @@ This list was initially populated using information from the following sources:
 | Gravwell | | | | | [Gravwell Statement](https://www.gravwell.io/blog/cve-2021-44228-log4j-does-not-impact-gravwell-products) | | | |
 | Graylog | Graylog Server | All versions >= 1.2.0 and <= 4.2.2 | Affected | Yes | [Graylog Update for Log4j](https://www.graylog.org/post/graylog-update-for-log4j) | | | |
 | GreenShot | | | | | [GreenShot Statement](https://greenshot.atlassian.net/browse/BUG-2871) | | | |
+| GSA | Cloud.gov | | Fixed | | [Log4j Customer responsibility](https://cloud.gov/2021/12/14/log4j-buildpack-updates/) | | | 12/21/2021 |
 | Guidewire | | | | | [Guidewire Statement](https://community.guidewire.com/s/article/Update-to-customers-who-have-questions-about-the-use-of-log4j-in-Guidewire-products) | | | |
 | HAProxy | | | | | [HAProxy Statement](https://www.haproxy.com/blog/december-2021-log4shell-mitigation/) | | | |
 | HarmanPro AMX | | | | | [HarmanPro AMX Statement](https://help.harmanpro.com/apache-log4j-vulnerability) | | | |
@ -1911,7 +1913,7 @@ This list was initially populated using information from the following sources:
 | ManageEngine Zoho | Analytics Plus | On-Prem | | | [ManageEngine Vulnerability Impact](https://pitstop.manageengine.com/portal/en/community/topic/update-on-the-recent-apache-log4j2-vulnerability-impact-on-manageengine-on-premises-products-1) | | |12/16/2021|
 | MariaDB | | | | | [MariaDB Statement](https://mariadb.com/resources/blog/log4shell-and-mariadb-cve-2021-44228/) | | | |
 | MathWorks | All MathWorks general release desktop or server products | | Not Affected | No | [MathWorks statement regarding CVE-2021-44228](https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab-run-time) | | | |
-| MathWorks Matlab | | | | | [MathWorks Matlab Statement](https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab-run-time) | | | |
+| MathWorks | MATLAB | All | Not Affected | No | [MathWorks MATLAB Statement](https://www.mathworks.com/content/dam/mathworks/policies/mathworks-response-to-cve-2021-44228-log4j-vulnerability.pdf) | | | 12/29/2021 |
 | Matillion | | | | | [Matillion Security Advisory](https://documentation.matillion.com/docs/security-advisory-14th-december-2021) | | | |
 | Matomo | | | | | [Matomo Statement](https://forum.matomo.org/t/matomo-is-not-concerned-by-the-log4j-security-breach-cve-2021-44228-discovered-on-december-2021-the-9th/44089) | | | |
 | Mattermost FocalBoard | | | | | [Mattermost FocalBoard Concern](https://forum.mattermost.org/t/log4j-vulnerability-concern/12676) | | | |
@ -2416,13 +2418,16 @@ download | | 12/20/2021 |
 | SmileCDR | | | | | [SmileCDR Blog Post](https://www.smilecdr.com/our-blog/a-statement-on-log4shell-cve-2021-44228) | | | |
 | Snakemake | Snakemake | 6.12.1 | Not Affected |  | [https://snakemake.readthedocs.io/en/stable/](https://snakemake.readthedocs.io/en/stable/) | | | 12/21/2021 |
 | Sn0m | | | | | [Sn0m Link](https://www.snom.com/en/press/log4j-poses-no-threat-snom-phones/) | | | |
+| Snow Software | Snow Commander | 8.1 to 8.10.2 | Fixed | Yes | [Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | |
+| Snow Software | VM Access Proxy | v3.1 to v3.6 | Fixed | Yes | [Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | |
 | Snowflake | | | Not Affected | | [Snowflake Community Link](https://community.snowflake.com/s/article/No-Snowflake-exposure-to-Apache-Log4j-vulnerability-CVE-2021-44228) | | | |
 | Snyk | Cloud Platform | |Not Affected | | [Snyk Updates](https://updates.snyk.io/snyk%27s-cloud-platform-all-clear-from-log4j-exploits-216499) | | | |
 | Software AG | | | | | [Software AG](https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849) | | | |
-| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | No | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) | Workarounds available, hotfix under development | | 12/14/2021 |
-| SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | No | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | Workarounds available, hotfix under development | | 12/14/2021 |
+| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228), [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) | For more information, please see the following KB article: [link](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 |
+| SolarWinds | Orion Platform | | Not Affected | | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | | | 12/23/2021 |
+| SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228), [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | For more information, please see the following KB article for the latest details specific to the SAM hotfix: [link](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 |
 | SonarSource | | | | | [SonarSource](https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721) | | | |
-| Sonatype | | | | | [Sonatype Vulnerability Statement](https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild) | | | |
+| Sonatype | All Products | All Versions | Not Affected | N/A | [Sonatype Vulnerability Statement](https://help.sonatype.com/docs/important-announcements/sonatype-product-log4j-vulnerability-status) | Sonatype uses logback as the default logging solution as opposed to log4j. This means our software including Nexus Lifecycle, Nexus Firewall, Nexus Repository OSS and Nexus Repository Pro in versions 2.x and 3.x are NOT affected by the reported log4j vulnerabilities. We still advise keeping your software upgraded at the latest version. | | 12/29/2021 |
 | SonicWall | Capture Client & Capture Client Portal | | Not Affected | | [Sonic Wall Security Advisory](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Log4j2 not used in the Capture Client. | | 12/12/2021 |
 | SonicWall | Access Points| | Not Affected | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Log4j2 not used in the SonicWall Access Points | | 12/12/2021 |
 | SonicWall | Analytics | | Under Investigation | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Under Review | | 12/12/2021 |