From c92ba2ea0f0905767780688e1d0997f43feb311e Mon Sep 17 00:00:00 2001 From: Dan Ivovich Date: Wed, 22 Dec 2021 07:57:19 -0500 Subject: [PATCH 01/23] Add S3, Circle, and Cloud.gov --- SOFTWARE-LIST.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 8a41688..e0033c4 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -58,6 +58,7 @@ This list was initially populated using information from the following sources: | Amazon | AWS Lambda | Unknown | Affected | Yes | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-005/) | | | | | Amazon | EC2 | Amazon Linux 1 & 2 | Not Affected | | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | 12/15/2021 | | Amazon | OpenSearch | Unknown | Affected | Yes [(R20211203-P2)](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | [Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)](https://aws.amazon.com/security/security-bulletins/AWS-2021-005/) | | | | +| Amazon | S3 | | Fixed | | [Update for Apache Log4j2](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) | | | 12/21/2021 | | Apache | ActiveMQ Artemis | All | Not Affected | Yes | [ApacheMQ - Update on CVE-2021-4428](https://activemq.apache.org/news/cve-2021-44228) | ActiveMQ Artemis does not use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. [web/console.war/WEB-INF/lib](web/console.war/WEB-INF/lib)). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive. See [ARTEMIS-3612](https://issues.apache.org/jira/browse/ARTEMIS-3612) for more information on that task. | | 12/21/2021 | | Apache | Camel | 3.14.1.3.11.5,3.7.7 | Affected | Yes | [APACHE CAMEL AND CVE-2021-44228 (LOG4J)](https://camel.apache.org/blog/2021/12/log4j2/)| Apache Camel does not directly depend on Log4j 2, so we are not affected by CVE-2021-44228.If you explicitly added the Log4j 2 dependency to your own applications, make sure to upgrade.Apache Camel does use log4j during testing itself, and therefore you can find that we have been using log4j v2.13.3 release in our latest LTS releases Camel 3.7.6, 3.11.4. | | 12/13/2021 | | Apache | Camel Quarkus | | Not Affected | No | [APACHE CAMEL AND CVE-2021-44228 (LOG4J)](https://camel.apache.org/blog/2021/12/log4j2/) | | | 12/13/2021 | @@ -300,6 +301,7 @@ This list was initially populated using information from the following sources: | Check Point | ThreatCloud | | Not Affected | | | | | | | CheckMK | | | | | [CheckMK Forum](https://forum.checkmk.com/t/checkmk-not-affected-by-log4shell/28643/3) | | | | | Ciphermail | | | | | [Ciphermail Blog Post](https://www.ciphermail.com/blog/ciphermail-gateway-and-webmail-messenger-are-not-vulnerable-to-cve-2021-44228.html) | | | | +| CircleCI | CircleCI | | Not affected | | [CircleCI / Log4j Information CVE-2021-44228](https://discuss.circleci.com/t/circleci-log4j-information-cve-2021-4422) | | | 12/21/2021 | | CIS | | | | | [CIS Customer Portal](https://cisecurity.atlassian.net/servicedesk/customer/portal/15/article/2434301961) | | | | | Cisco | AppDynamics | | Affected | Yes | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | | | Cisco | Cisco Common Services Platform Collector | | Under Investigation | | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | | @@ -1007,6 +1009,7 @@ This list was initially populated using information from the following sources: | Gravwell | | | | | [Gravwell Statement](https://www.gravwell.io/blog/cve-2021-44228-log4j-does-not-impact-gravwell-products) | | | | | Graylog | Graylog Server | All versions >= 1.2.0 and <= 4.2.2 | Affected | Yes | [Graylog Update for Log4j](https://www.graylog.org/post/graylog-update-for-log4j) | | | | | GreenShot | | | | | [GreenShot Statement](https://greenshot.atlassian.net/browse/BUG-2871) | | | | +| GSA | Cloud.gov | | Fixed | | [Log4j Customer responsibility](https://cloud.gov/2021/12/14/log4j-buildpack-updates/) | | | 12/21/2021 | | Guidewire | | | | | [Guidewire Statement](https://community.guidewire.com/s/article/Update-to-customers-who-have-questions-about-the-use-of-log4j-in-Guidewire-products) | | | | | HAProxy | | | | | [HAProxy Statement](https://www.haproxy.com/blog/december-2021-log4shell-mitigation/) | | | | | HarmanPro AMX | | | | | [HarmanPro AMX Statement](https://help.harmanpro.com/apache-log4j-vulnerability) | | | | From 133f007d1c3833a33498d0ceb0a66aea52d02650 Mon Sep 17 00:00:00 2001 From: AlastairPooley <60789166+AlastairPooley@users.noreply.github.com> Date: Sun, 26 Dec 2021 20:04:17 +0000 Subject: [PATCH 02/23] Update SOFTWARE-LIST.md Snow Software added --- SOFTWARE-LIST.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 63bd4ea..8dd5b3b 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2401,6 +2401,8 @@ download | | 12/20/2021 | | SmileCDR | | | | | [SmileCDR Blog Post](https://www.smilecdr.com/our-blog/a-statement-on-log4shell-cve-2021-44228) | | | | | Snakemake | Snakemake | 6.12.1 | Not Affected | | [https://snakemake.readthedocs.io/en/stable/](https://snakemake.readthedocs.io/en/stable/) | | | 12/21/2021 | | Sn0m | | | | | [Sn0m Link](https://www.snom.com/en/press/log4j-poses-no-threat-snom-phones/) | | | | +| Snow Software | Snow Commander | 8.1 to 8.10.2 | Fixed | Yes |[Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | +| Snow Software | VM Access Proxy | v3.1 to v3.6 " Fixed | Yes | [Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | | Snowflake | | | Not Affected | | [Snowflake Community Link](https://community.snowflake.com/s/article/No-Snowflake-exposure-to-Apache-Log4j-vulnerability-CVE-2021-44228) | | | | | Snyk | Cloud Platform | |Not Affected | | [Snyk Updates](https://updates.snyk.io/snyk%27s-cloud-platform-all-clear-from-log4j-exploits-216499) | | | | | Software AG | | | | | [Software AG](https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849) | | | | From 6a09fd70f7b29288e0b7c29bc99b7c620a08c48a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 26 Dec 2021 20:18:23 -0500 Subject: [PATCH 03/23] Use an issue form for product submissions Switch to using a GitHub Issues form for product submission issues. This will provide a smoother interface for users to submit products to the database and ensure that certain values are included with a submission. --- .../product-submission-template.md | 27 ------- .../product-submission-template.yml | 73 +++++++++++++++++++ 2 files changed, 73 insertions(+), 27 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/product-submission-template.md create mode 100644 .github/ISSUE_TEMPLATE/product-submission-template.yml diff --git a/.github/ISSUE_TEMPLATE/product-submission-template.md b/.github/ISSUE_TEMPLATE/product-submission-template.md deleted file mode 100644 index a92609b..0000000 --- a/.github/ISSUE_TEMPLATE/product-submission-template.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -name: Product Submission Template -about: Template for product submissions of all publicly available information - and vendor-supplied advisories regarding the log4j vulnerability. ---- -# Submission Template # - -Please provide the following information. - -- Vendor Name -- Product Name -- Version(s) affected -- Status: Please choose from one of the following - Unknown, Affected, - Not Affected, Fixed, and Under Investigation. -- Update Available: Yes or No (If Yes, please provide link to information) -- Notes -- References -- Last Updated: Date of last update - -For questions about choice for status, please see the information below. - -- Unknown - Status unknown. Default choice. -- Affected - Reported to be affected by CVE-2021-44228. -- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further - action necessary. -- Fixed - Patch and/or mitigations available (see provided links). -- Under Investigation - Vendor investigating status. diff --git a/.github/ISSUE_TEMPLATE/product-submission-template.yml b/.github/ISSUE_TEMPLATE/product-submission-template.yml new file mode 100644 index 0000000..c5a66b1 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/product-submission-template.yml @@ -0,0 +1,73 @@ +--- +name: Submit a Product +description: Submit a product to the database +title: "[Product Submission]: - " +body: + - type: markdown + attributes: + value: | + For questions about choice for status, please see the information below. + + - Unknown - Status unknown. Default choice. + - Affected - Reported to be affected by CVE-2021-44228. + - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no + further action necessary. + - Fixed - Patch and/or mitigations available (see provided links). + - Under Investigation - Vendor investigating status. + - type: input + id: product-vendor + attributes: + label: Product vendor + description: Who is the vendor for the product? + validations: + required: true + - type: input + id: product-name + attributes: + label: Product name + description: What is the product? + validations: + required: true + - type: input + id: product-versions + attributes: + label: Product version(s) + description: What version(s) of the product are affected? + validations: + required: true + - type: dropdown + id: product-status + attributes: + label: Product status + description: What is the current status of the affected product? + options: + - Unknown + - Affected + - Not Affected + - Fixed + - Under Investigation + validations: + required: true + - type: dropdown + id: product-updated + attributes: + label: Product update available + description: Is there an update available for the product? + options: + - "Yes" + - "No" + validations: + required: true + - type: input + id: product-update-link + attributes: + label: Product update link + description: If an update is available where can it be found? + - type: textarea + id: product-notes + attributes: + label: Notes + - type: textarea + id: product-references + attributes: + label: References From 847a4f248eb017acc4c7a826153ce1e5830a32d0 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 26 Dec 2021 20:23:20 -0500 Subject: [PATCH 04/23] Add an issue form for product updates Provide an issue form for product updates to complement the one for product submissions. This will encourage people to follow the specific workflows for submissions and updates. --- .../product-update-template.yml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/product-update-template.yml diff --git a/.github/ISSUE_TEMPLATE/product-update-template.yml b/.github/ISSUE_TEMPLATE/product-update-template.yml new file mode 100644 index 0000000..109c12c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/product-update-template.yml @@ -0,0 +1,58 @@ +--- +name: Update a Product +description: Update information about a product in the database +title: "[Product Update]: - " +body: + - type: markdown + attributes: + value: | + For questions about choice for status, please see the information below. + + - Unknown - Status unknown. Default choice. + - Affected - Reported to be affected by CVE-2021-44228. + - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no + further action necessary. + - Fixed - Patch and/or mitigations available (see provided links). + - Under Investigation - Vendor investigating status. + - type: textarea + id: update-context + attributes: + label: Context + description: Please provide context around the update + - type: input + id: product-versions + attributes: + label: Product version(s) + description: What version(s) of the product are affected? + - type: dropdown + id: product-status + attributes: + label: Product status + description: What is the current status of the affected product? + options: + - Unknown + - Affected + - Not Affected + - Fixed + - Under Investigation + - type: dropdown + id: product-updated + attributes: + label: Product update available + description: Is there an update available for the product? + options: + - "Yes" + - "No" + - type: input + id: product-update-link + attributes: + label: Product update link + description: If an update is available where can it be found? + - type: textarea + id: product-notes + attributes: + label: Notes + - type: textarea + id: product-references + attributes: + label: References From 20f82c96c0b77a7cc9357ed856c1b2e447a93a0c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 26 Dec 2021 20:27:25 -0500 Subject: [PATCH 05/23] Rename template files to reflect that they are now forms --- ...roduct-submission-template.yml => product-submission-form.yml} | 0 .../{product-update-template.yml => product-update-form.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename .github/ISSUE_TEMPLATE/{product-submission-template.yml => product-submission-form.yml} (100%) rename .github/ISSUE_TEMPLATE/{product-update-template.yml => product-update-form.yml} (100%) diff --git a/.github/ISSUE_TEMPLATE/product-submission-template.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml similarity index 100% rename from .github/ISSUE_TEMPLATE/product-submission-template.yml rename to .github/ISSUE_TEMPLATE/product-submission-form.yml diff --git a/.github/ISSUE_TEMPLATE/product-update-template.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml similarity index 100% rename from .github/ISSUE_TEMPLATE/product-update-template.yml rename to .github/ISSUE_TEMPLATE/product-update-form.yml From aa710d2818599379bc9db6e95d7e74ab6e2e8736 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 26 Dec 2021 20:32:00 -0500 Subject: [PATCH 06/23] Add missing input to issue forms Added an input to provide information about the date of a product's last update. --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 5 +++++ .github/ISSUE_TEMPLATE/product-update-form.yml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index c5a66b1..6e71253 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -63,6 +63,11 @@ body: attributes: label: Product update link description: If an update is available where can it be found? + - type: input + id: product-last-updated + attributes: + label: Last updated + description: When was the product last updated? - type: textarea id: product-notes attributes: diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 109c12c..2789269 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -48,6 +48,11 @@ body: attributes: label: Product update link description: If an update is available where can it be found? + - type: input + id: product-last-updated + attributes: + label: Last updated + description: When was the product last updated? - type: textarea id: product-notes attributes: From 41e536e228aeb482bccab31f5bc6e448c6b6264b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 10:08:20 -0500 Subject: [PATCH 07/23] Adjust markdown element in product submission form Move the markdown element that explains available statuses down so it appears close to where a user is selecting the status. Given how form elements are rendered it has been adjusted to appear after the dropdown itself. Co-authored-by: dav3r --- .../product-submission-form.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index 6e71253..aa83f80 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -3,17 +3,6 @@ name: Submit a Product description: Submit a product to the database title: "[Product Submission]: - " body: - - type: markdown - attributes: - value: | - For questions about choice for status, please see the information below. - - - Unknown - Status unknown. Default choice. - - Affected - Reported to be affected by CVE-2021-44228. - - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no - further action necessary. - - Fixed - Patch and/or mitigations available (see provided links). - - Under Investigation - Vendor investigating status. - type: input id: product-vendor attributes: @@ -48,6 +37,17 @@ body: - Under Investigation validations: required: true + - type: markdown + attributes: + value: | + Please use the information below when selecting a status. + + - Unknown - Status unknown. Default choice. + - Affected - Reported to be affected by CVE-2021-44228. + - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no + further action necessary. + - Fixed - Patch and/or mitigations available (see provided links). + - Under Investigation - Vendor investigating status. - type: dropdown id: product-updated attributes: From b5ab6c3fb9f0ae8abc17048433deee67ac035c3f Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 10:18:59 -0500 Subject: [PATCH 08/23] Adjust a description in the product submission form Adjust the product name description to be more similar to other descriptions. --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index aa83f80..af54400 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -14,7 +14,7 @@ body: id: product-name attributes: label: Product name - description: What is the product? + description: What is the name of the product? validations: required: true - type: input From 0804f1e8e92af46a11ad97e81daa1cb7f78f729d Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 10:20:14 -0500 Subject: [PATCH 09/23] Update dropdown in the product submission form Update the product update dropdown's label and options. Mainly focused on removing usage of Yes/No because these are boolean values in YAML and thus needed special handling compared to other strings. Co-authored-by: dav3r Co-authored-by: Shane Frasier --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index af54400..0504f98 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -51,11 +51,11 @@ body: - type: dropdown id: product-updated attributes: - label: Product update available + label: Product update description: Is there an update available for the product? options: - - "Yes" - - "No" + - Available + - Not Available validations: required: true - type: input From 230b4c999e47f0967ab130bdbf6a8a6eb3fdec1b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 10:27:14 -0500 Subject: [PATCH 10/23] Add placeholders in the product submission form Add placeholders for some of the required inputs in the form. This will be most helpful for the product version, but for completeness they have also been added for the product vendor and name. Co-authored-by: dav3r --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index 0504f98..345c5d7 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -8,6 +8,7 @@ body: attributes: label: Product vendor description: Who is the vendor for the product? + placeholder: Cisco, Dell, IBM, etc. validations: required: true - type: input @@ -15,6 +16,7 @@ body: attributes: label: Product name description: What is the name of the product? + placeholder: AppDynamics, BigFix Inventory, Centera, etc. validations: required: true - type: input @@ -22,6 +24,7 @@ body: attributes: label: Product version(s) description: What version(s) of the product are affected? + placeholder: v2; 1.5; >3; >=4; >5, <6; etc. validations: required: true - type: dropdown From abc70b1787fa5e26e26f2c907c6d6db900e5caf0 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 10:54:24 -0500 Subject: [PATCH 11/23] Adjust markdown element in product update form Move the markdown element that explains available statuses down so it appears close to where a user is selecting the status. Given how form elements are rendered it has been adjusted to appear after the dropdown itself. This mirrors changes made in the product submission form. --- .../ISSUE_TEMPLATE/product-update-form.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 2789269..3ce52de 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -3,17 +3,6 @@ name: Update a Product description: Update information about a product in the database title: "[Product Update]: - " body: - - type: markdown - attributes: - value: | - For questions about choice for status, please see the information below. - - - Unknown - Status unknown. Default choice. - - Affected - Reported to be affected by CVE-2021-44228. - - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no - further action necessary. - - Fixed - Patch and/or mitigations available (see provided links). - - Under Investigation - Vendor investigating status. - type: textarea id: update-context attributes: @@ -35,6 +24,17 @@ body: - Not Affected - Fixed - Under Investigation + - type: markdown + attributes: + value: | + Please use the information below when selecting a status. + + - Unknown - Status unknown. Default choice. + - Affected - Reported to be affected by CVE-2021-44228. + - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no + further action necessary. + - Fixed - Patch and/or mitigations available (see provided links). + - Under Investigation - Vendor investigating status. - type: dropdown id: product-updated attributes: From df6ac390835efadda738624f4eb133f44b7fda74 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 12:21:46 -0500 Subject: [PATCH 12/23] Add inputs to product update form Add product vendor and product name inputs to the update form. This will ensure that even if a submitter does not update the title we capture this information. --- .github/ISSUE_TEMPLATE/product-update-form.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 3ce52de..2167d7e 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -3,6 +3,22 @@ name: Update a Product description: Update information about a product in the database title: "[Product Update]: - " body: + - type: input + id: product-vendor + attributes: + label: Product vendor + description: Who is the vendor for the product? + placeholder: Cisco, Dell, IBM, etc. + validations: + required: true + - type: input + id: product-name + attributes: + label: Product name + description: What is the name of the product? + placeholder: AppDynamics, BigFix Inventory, Centera, etc. + validations: + required: true - type: textarea id: update-context attributes: From a91ebf78a6ef8e7d564c4d54d99a930977e0d841 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 12:39:38 -0500 Subject: [PATCH 13/23] Add missing punctuation in description in product update form --- .github/ISSUE_TEMPLATE/product-update-form.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 2167d7e..58f6ec9 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -23,7 +23,7 @@ body: id: update-context attributes: label: Context - description: Please provide context around the update + description: Please provide context around the update. - type: input id: product-versions attributes: From 90a215e6188daba6c5893f2dd17ba7bafd2fa21b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 12:45:46 -0500 Subject: [PATCH 14/23] Add a placeholder to the product issue forms Add a placeholder value for the last updated input in both the product submission and product update issue forms. This will encourage the appropriate timestamp format. --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 1 + .github/ISSUE_TEMPLATE/product-update-form.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index 345c5d7..9353ce6 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -71,6 +71,7 @@ body: attributes: label: Last updated description: When was the product last updated? + placeholder: "2021-12-06" - type: textarea id: product-notes attributes: diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 58f6ec9..0f66eb8 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -69,6 +69,7 @@ body: attributes: label: Last updated description: When was the product last updated? + placeholder: "2021-12-06" - type: textarea id: product-notes attributes: From 01a719c4c61f46292b818c06307c2d0c32f7bd20 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 13:59:16 -0500 Subject: [PATCH 15/23] Update dropdown in the product update form Update the product update dropdown's label and options. Mainly focused on removing usage of Yes/No because these are boolean values in YAML and thus needed special handling compared to other strings. This mirrors changes done to the product submission form. --- .github/ISSUE_TEMPLATE/product-update-form.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 0f66eb8..4e914e1 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -54,11 +54,11 @@ body: - type: dropdown id: product-updated attributes: - label: Product update available + label: Product update description: Is there an update available for the product? options: - - "Yes" - - "No" + - Available + - Not Available - type: input id: product-update-link attributes: From c5c6c68dc8f757999a7944492d3118474076d69d Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Dec 2021 14:25:47 -0500 Subject: [PATCH 16/23] Update description for product update link in forms Update the description for the product update link input in both the product submission and product update forms. Co-authored-by: dav3r Co-authored-by: Shane Frasier --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 2 +- .github/ISSUE_TEMPLATE/product-update-form.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index 9353ce6..37258d7 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -65,7 +65,7 @@ body: id: product-update-link attributes: label: Product update link - description: If an update is available where can it be found? + description: Where can the update be found, if one is available? - type: input id: product-last-updated attributes: diff --git a/.github/ISSUE_TEMPLATE/product-update-form.yml b/.github/ISSUE_TEMPLATE/product-update-form.yml index 4e914e1..d32f6fb 100644 --- a/.github/ISSUE_TEMPLATE/product-update-form.yml +++ b/.github/ISSUE_TEMPLATE/product-update-form.yml @@ -63,7 +63,7 @@ body: id: product-update-link attributes: label: Product update link - description: If an update is available where can it be found? + description: Where can the update be found, if one is available? - type: input id: product-last-updated attributes: From a00d3da334ac5ef25676399846010ad77cc747cf Mon Sep 17 00:00:00 2001 From: iainDe <96153057+iainDe@users.noreply.github.com> Date: Tue, 28 Dec 2021 14:40:54 -0500 Subject: [PATCH 17/23] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index fbbfa7d..63654c0 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2406,8 +2406,9 @@ download | | 12/20/2021 | | Snowflake | | | Not Affected | | [Snowflake Community Link](https://community.snowflake.com/s/article/No-Snowflake-exposure-to-Apache-Log4j-vulnerability-CVE-2021-44228) | | | | | Snyk | Cloud Platform | |Not Affected | | [Snyk Updates](https://updates.snyk.io/snyk%27s-cloud-platform-all-clear-from-log4j-exploits-216499) | | | | | Software AG | | | | | [Software AG](https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849) | | | | -| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | No | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) | Workarounds available, hotfix under development | | 12/14/2021 | -| SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | No | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | Workarounds available, hotfix under development | | 12/14/2021 | +| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) |https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | For more information, please see the following KB article: [link](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | +| SolarWinds | Orion Platform | Not Affected | | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | | | 12/23/2021 | +| SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | For more information, please see the following KB article for the latest details specific to the SAM hotfix: [link](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | | SonarSource | | | | | [SonarSource](https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721) | | | | | Sonatype | | | | | [Sonatype Vulnerability Statement](https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild) | | | | | SonicWall | Capture Client & Capture Client Portal | | Not Affected | | [Sonic Wall Security Advisory](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Log4j2 not used in the Capture Client. | | 12/12/2021 | From 55fb6ebffdc41de834adbba2fff79c5575f86956 Mon Sep 17 00:00:00 2001 From: iainDe <96153057+iainDe@users.noreply.github.com> Date: Tue, 28 Dec 2021 14:47:12 -0500 Subject: [PATCH 18/23] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 63654c0..cfc0a7f 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2406,7 +2406,7 @@ download | | 12/20/2021 | | Snowflake | | | Not Affected | | [Snowflake Community Link](https://community.snowflake.com/s/article/No-Snowflake-exposure-to-Apache-Log4j-vulnerability-CVE-2021-44228) | | | | | Snyk | Cloud Platform | |Not Affected | | [Snyk Updates](https://updates.snyk.io/snyk%27s-cloud-platform-all-clear-from-log4j-exploits-216499) | | | | | Software AG | | | | | [Software AG](https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849) | | | | -| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) |https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | For more information, please see the following KB article: [link](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | +| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) | | For more information, please see the following KB article: [link](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | | SolarWinds | Orion Platform | Not Affected | | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | | | 12/23/2021 | | SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | For more information, please see the following KB article for the latest details specific to the SAM hotfix: [link](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | | SonarSource | | | | | [SonarSource](https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721) | | | | From 017d143aa56006c027ca3b88c09c03af55293868 Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 08:28:46 -0500 Subject: [PATCH 19/23] Add space & fix pipe --- SOFTWARE-LIST.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 2390e11..2261fc3 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2403,8 +2403,8 @@ download | | 12/20/2021 | | SmileCDR | | | | | [SmileCDR Blog Post](https://www.smilecdr.com/our-blog/a-statement-on-log4shell-cve-2021-44228) | | | | | Snakemake | Snakemake | 6.12.1 | Not Affected | | [https://snakemake.readthedocs.io/en/stable/](https://snakemake.readthedocs.io/en/stable/) | | | 12/21/2021 | | Sn0m | | | | | [Sn0m Link](https://www.snom.com/en/press/log4j-poses-no-threat-snom-phones/) | | | | -| Snow Software | Snow Commander | 8.1 to 8.10.2 | Fixed | Yes |[Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | -| Snow Software | VM Access Proxy | v3.1 to v3.6 " Fixed | Yes | [Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | +| Snow Software | Snow Commander | 8.1 to 8.10.2 | Fixed | Yes | [Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | +| Snow Software | VM Access Proxy | v3.1 to v3.6 | Fixed | Yes | [Snow Software Commmunity Link](https://community.snowsoftware.com/s/feed/0D5690000B4U6hUCQS) | | | | | Snowflake | | | Not Affected | | [Snowflake Community Link](https://community.snowflake.com/s/article/No-Snowflake-exposure-to-Apache-Log4j-vulnerability-CVE-2021-44228) | | | | | Snyk | Cloud Platform | |Not Affected | | [Snyk Updates](https://updates.snyk.io/snyk%27s-cloud-platform-all-clear-from-log4j-exploits-216499) | | | | | Software AG | | | | | [Software AG](https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849) | | | | From ac87f938621584c398f70cfa3eef0ef4926c7830 Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 08:58:20 -0500 Subject: [PATCH 20/23] Fix extra & missing pipes --- SOFTWARE-LIST.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index c55d13b..1ff1326 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2417,9 +2417,9 @@ download | | 12/20/2021 | | Snowflake | | | Not Affected | | [Snowflake Community Link](https://community.snowflake.com/s/article/No-Snowflake-exposure-to-Apache-Log4j-vulnerability-CVE-2021-44228) | | | | | Snyk | Cloud Platform | |Not Affected | | [Snyk Updates](https://updates.snyk.io/snyk%27s-cloud-platform-all-clear-from-log4j-exploits-216499) | | | | | Software AG | | | | | [Software AG](https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849) | | | | -| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) | | For more information, please see the following KB article: [link](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | -| SolarWinds | Orion Platform | Not Affected | | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | | | 12/23/2021 | -| SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | For more information, please see the following KB article for the latest details specific to the SAM hotfix: [link](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | +| SolarWinds | Database Performance Analyzer (DPA) | 2021.1.x, 2021.3.x, 2022.1.x | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228), [Database Performance Analyzer (DPA) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228) | For more information, please see the following KB article: [link](https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | +| SolarWinds | Orion Platform | | Not Affected | | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | | | 12/23/2021 | +| SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228), [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | For more information, please see the following KB article for the latest details specific to the SAM hotfix: [link](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | | SonarSource | | | | | [SonarSource](https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721) | | | | | Sonatype | | | | | [Sonatype Vulnerability Statement](https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild) | | | | | SonicWall | Capture Client & Capture Client Portal | | Not Affected | | [Sonic Wall Security Advisory](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Log4j2 not used in the Capture Client. | | 12/12/2021 | From 22346d167663c4464accedfaf994a11e007f7d2b Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Dec 2021 09:54:17 -0500 Subject: [PATCH 21/23] Update input description in the product submission form Update the description for the product version input so that it fully accounts for multiple versions. Co-authored-by: Shane Frasier --- .github/ISSUE_TEMPLATE/product-submission-form.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/product-submission-form.yml b/.github/ISSUE_TEMPLATE/product-submission-form.yml index 37258d7..ebdabe5 100644 --- a/.github/ISSUE_TEMPLATE/product-submission-form.yml +++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml @@ -23,7 +23,7 @@ body: id: product-versions attributes: label: Product version(s) - description: What version(s) of the product are affected? + description: What version(s) of the product is (are) affected? placeholder: v2; 1.5; >3; >=4; >5, <6; etc. validations: required: true From dc94de97432092df829fac8e40793f78c35edd72 Mon Sep 17 00:00:00 2001 From: Maury Cupitt Date: Wed, 29 Dec 2021 10:00:04 -0500 Subject: [PATCH 22/23] Update for Sonatype products --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index b8a02d9..681ce48 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2423,7 +2423,7 @@ download | | 12/20/2021 | | SolarWinds | Orion Platform | | Not Affected | | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228) | | | 12/23/2021 | | SolarWinds | Server & Application Monitor (SAM) | SAM 2020.2.6 and later | Affected | Yes | [Apache Log4j Critical Vulnerability (CVE-2021-44228)](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228), [Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | For more information, please see the following KB article for the latest details specific to the SAM hotfix: [link](https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US) | | 12/23/2021 | | SonarSource | | | | | [SonarSource](https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721) | | | | -| Sonatype | | | | | [Sonatype Vulnerability Statement](https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild) | | | | +| Sonatype | All Products | All Versions | Not Affected | N/A | [Sonatype Vulnerability Statement](https://help.sonatype.com/docs/important-announcements/sonatype-product-log4j-vulnerability-status) | Sonatype uses logback as the default logging solution as opposed to log4j. This means our software including Nexus Lifecycle, Nexus Firewall, Nexus Repository OSS and Nexus Repository Pro in versions 2.x and 3.x are NOT affected by the reported log4j vulnerabilities. We still advise keeping your software upgraded at the latest version. | | 12/29/2021 | | SonicWall | Capture Client & Capture Client Portal | | Not Affected | | [Sonic Wall Security Advisory](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Log4j2 not used in the Capture Client. | | 12/12/2021 | | SonicWall | Access Points| | Not Affected | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Log4j2 not used in the SonicWall Access Points | | 12/12/2021 | | SonicWall | Analytics | | Under Investigation | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Under Review | | 12/12/2021 | From 7efc19ee68b0c5ac89bb28d5bc4a7562a2075dbc Mon Sep 17 00:00:00 2001 From: LA100ti <96486988+LA100ti@users.noreply.github.com> Date: Wed, 29 Dec 2021 11:41:07 -0500 Subject: [PATCH 23/23] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index b8a02d9..c128ead 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -1911,7 +1911,7 @@ This list was initially populated using information from the following sources: | ManageEngine Zoho | Analytics Plus | On-Prem | | | [ManageEngine Vulnerability Impact](https://pitstop.manageengine.com/portal/en/community/topic/update-on-the-recent-apache-log4j2-vulnerability-impact-on-manageengine-on-premises-products-1) | | |12/16/2021| | MariaDB | | | | | [MariaDB Statement](https://mariadb.com/resources/blog/log4shell-and-mariadb-cve-2021-44228/) | | | | | MathWorks | All MathWorks general release desktop or server products | | Not Affected | No | [MathWorks statement regarding CVE-2021-44228](https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab-run-time) | | | | -| MathWorks Matlab | | | | | [MathWorks Matlab Statement](https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab-run-time) | | | | +| MathWorks | MATLAB | All | Not Affected | No | [MathWorks MATLAB Statement](https://www.mathworks.com/content/dam/mathworks/policies/mathworks-response-to-cve-2021-44228-log4j-vulnerability.pdf) | | | 12/29/2021 | | Matillion | | | | | [Matillion Security Advisory](https://documentation.matillion.com/docs/security-advisory-14th-december-2021) | | | | | Matomo | | | | | [Matomo Statement](https://forum.matomo.org/t/matomo-is-not-concerned-by-the-log4j-security-breach-cve-2021-44228-discovered-on-december-2021-the-9th/44089) | | | | | Mattermost FocalBoard | | | | | [Mattermost FocalBoard Concern](https://forum.mattermost.org/t/log4j-vulnerability-concern/12676) | | | |