r3pek
/
log4j-affected-db
mirror of https://github.com/cisagov/log4j-affected-db
1
0
Fork 0
Code Releases Activity

Merge pull request #113 from cisagov/improvement/integrate_linting

Browse Source 
Add `pre-commit` linting with GitHub Actions support
pull/120/head
justmurphy 2 years ago committed by GitHub
parent facf89a587 8ce938f3c0
commit 633ef20863
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 526 additions and 59 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 13
      .github/CODEOWNERS
  2. 34
      .github/ISSUE_TEMPLATE/product-submission-template.md
  3. 1
      .github/SECURITY.md
  4. 18
      .github/dependabot.yml
  5. 42
      .github/workflows/build.yml
  6. 8
      .gitignore
  7. 50
      .mdl_config.yaml
  8. 48
      .pre-commit-config.yaml
  9. 7
      .prettierignore
  10. 7
      .yamllint
  11. 154
      CONTRIBUTING.md
  12. 116
      LICENSE
  13. 87
      README.md

13
.github/CODEOWNERS
Unescape View File

@ -0,0 +1,13 @@
# Each line is a file pattern followed by one or more owners.
# These owners will be the default owners for everything in the
# repo. Unless a later match takes precedence, these owners will be
# requested for review when someone opens a pull request.
* @ChrisSCISA @justmurphy @KwadwoBCISA
# These folks own any dot-files in the repository.
.* @dav3r @felddy @jsf9k @mcdonnnj
# These folks own any files in the .github directory at the root of
# the repository and any of its subdirectories.
/.github/ @dav3r @felddy @jsf9k @mcdonnnj

34
.github/ISSUE_TEMPLATE/product-submission-template.md
Unescape View File

@ -1,35 +1,27 @@
---
name: Product Submission Template
about: Template for product submissions of all publicly available information and
vendor-supplied advisories regarding the log4j vulnerability.
title: ''
labels: ''
assignees: ''
---
about: Template for product submissions of all publicly available information
and vendor-supplied advisories regarding the log4j vulnerability.
---
name: Software Product Submission Template
about: Schema for product submission for log4j vulnerability.
# Submission Template #
---
# Submission Template
Please provide the following information.
Please provide the following information.
- Vendor Name
- Product Name
- Version(s) affected
- Status: Please choose from one of the following (Unknown/Affected/Not Affected/Fixed/Under Investigation).
- Update Available: Yes or No (If Yes, please provide link to information)
- Status: Please choose from one of the following - Unknown, Affected,
Not Affected, Fixed, and Under Investigation.
- Update Available: Yes or No (If Yes, please provide link to information)
- Notes
- References
- Last Updated: Date of last update
- Last Updated: Date of last update
For questions about choice for status, please see the information below.
- Unknown - Status unknown. Default choice.
- Unknown - Status unknown. Default choice.
- Affected - Reported to be affected by CVE-2021-44228.
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further action necessary.
- Fixed - Patch and/or mitigations available (see provided links).
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further
action necessary.
- Fixed - Patch and/or mitigations available (see provided links).
- Under Investigation - Vendor investigating status.

1
.github/SECURITY.md
Unescape View File

@ -1 +0,0 @@

18
.github/dependabot.yml
Unescape View File

@ -0,0 +1,18 @@
---
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "terraform"
directory: "/"
schedule:
interval: "weekly"

42
.github/workflows/build.yml
Unescape View File

@ -0,0 +1,42 @@
---
name: build
on:
push:
pull_request:
repository_dispatch:
types: [apb]
env:
PIP_CACHE_DIR: ~/.cache/pip
PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- id: setup-python
uses: actions/setup-python@v2
with:
python-version: "3.10"
- uses: actions/cache@v2
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}"
with:
path: |
${{ env.PIP_CACHE_DIR }}
${{ env.PRE_COMMIT_CACHE_DIR }}
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/.pre-commit-config.yaml') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
pip install --upgrade pre-commit
- name: Set up pre-commit hook environments
run: pre-commit install-hooks
- name: Run pre-commit on all files
run: pre-commit run --all-files

8
.gitignore vendored
Unescape View File

@ -0,0 +1,8 @@
# This file specifies intentionally untracked files that Git should ignore.
# Files already tracked by Git are not affected.
# See: https://git-scm.com/docs/gitignore
## Python ##
__pycache__
.mypy_cache
.python-version

50
.mdl_config.yaml
Unescape View File

@ -0,0 +1,50 @@
---
# Default state for all rules
default: true
# MD003/heading-style/header-style - Heading style
MD003:
# Enforce the ATX-closed style of header
style: "atx_closed"
# MD004/ul-style - Unordered list style
MD004:
# Enforce dashes for unordered lists
style: "dash"
# MD013/line-length - Line length
MD013:
# Do not enforce for code blocks
code_blocks: false
# Do not enforce for tables
tables: false
# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the
# same content
MD024:
# Allow headers with the same content as long as they are not in the same
# parent heading
allow_different_nesting: true
# MD029/ol-prefix - Ordered list item prefix
MD029:
# Enforce the `1.` style for ordered lists
style: "one"
# MD033/no-inline-html - Inline HTML
MD033:
# The h1 and img elements are allowed to permit header images
allowed_elements:
- h1
- img
# MD035/hr-style - Horizontal rule style
MD035:
# Enforce dashes for horizontal rules
style: "---"
# MD046/code-block-style Code block style
MD046:
# Enforce the fenced style for code blocks
style: "fenced"

48
.pre-commit-config.yaml
Unescape View File

@ -0,0 +1,48 @@
---
default_language_version:
# force all unspecified python hooks to run python3
python: python3
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
hooks:
- id: check-case-conflict
- id: check-executables-have-shebangs
- id: check-json
- id: check-merge-conflict
- id: check-toml
- id: check-xml
- id: debug-statements
- id: detect-aws-credentials
args:
- --allow-missing-credentials
- id: detect-private-key
- id: end-of-file-fixer
exclude: files/(issue|motd)
- id: mixed-line-ending
args:
- --fix=lf
- id: pretty-format-json
args:
- --autofix
- id: requirements-txt-fixer
- id: trailing-whitespace
# Text file hooks
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.30.0
hooks:
- id: markdownlint
args:
- --config=.mdl_config.yaml
- repo: https://github.com/pre-commit/mirrors-prettier
rev: v2.5.1
hooks:
- id: prettier
- repo: https://github.com/adrienverge/yamllint
rev: v1.26.3
hooks:
- id: yamllint
args:
- --strict

7
.prettierignore
Unescape View File

@ -0,0 +1,7 @@
# Already being linted by pretty-format-json
*.json
# Already being linted by mdl
*.md
# Already being linted by yamllint
*.yaml
*.yml

7
.yamllint
Unescape View File

@ -0,0 +1,7 @@
---
extends: default
rules:
# yamllint doesn't like when we use yes and no for true and false,
# but that's pretty standard in Ansible.
truthy: disable

154
CONTRIBUTING.md
Unescape View File

@ -0,0 +1,154 @@
# Welcome #
We're so glad you're thinking about contributing to this open source
project! If you're unsure or afraid of anything, just ask or submit
the issue or pull request anyway. The worst that can happen is that
you'll be politely asked to change something. We appreciate any sort
of contribution, and don't want a wall of rules to get in the way of
that.
Before contributing, we encourage you to read our CONTRIBUTING policy
(you are here), our [LICENSE](LICENSE), and our [README](README.md),
all of which should be in this repository.
## Issues ##
If you want to report a bug or request a new feature, the most direct
method is to [create an
issue](https://github.com/cisagov/log4j-affected-db/issues) in this
repository. We recommend that you first search through existing
issues (both open and closed) to check if your particular issue has
already been reported. If it has then you might want to add a comment
to the existing issue. If it hasn't then feel free to create a new
one.
## Pull requests ##
If you choose to [submit a pull
request](https://github.com/cisagov/log4j-affected-db/pulls), you will
notice that our continuous integration (CI) system runs a fairly
extensive set of linters and syntax checkers. Your pull request may
fail these checks, and that's OK. If you want you can stop there and
wait for us to make the necessary corrections to ensure your code
passes the CI checks.
If you want to make the changes yourself, or if you want to become a
regular contributor, then you will want to set up
[pre-commit](https://pre-commit.com/) on your local machine. Once you
do that, the CI checks will run locally before you even write your
commit message. This speeds up your development cycle considerably.
### Setting up pre-commit ###
There are a few ways to do this, but we prefer to use
[`pyenv`](https://github.com/pyenv/pyenv) and
[`pyenv-virtualenv`](https://github.com/pyenv/pyenv-virtualenv) to
create and manage a Python virtual environment specific to this
project.
#### Installing and using `pyenv` and `pyenv-virtualenv` ####
On the Mac, we recommend installing [brew](https://brew.sh/). Then
installation is as simple as `brew install pyenv pyenv-virtualenv` and
adding this to your profile:
```bash
export PYENV_ROOT="$HOME/.pyenv"
export PATH="$PYENV_ROOT/bin:$PATH"
eval "$(pyenv init --path)"
eval "$(pyenv init -)"
eval "$(pyenv virtualenv-init -)"
```
For Linux, Windows Subsystem for Linux (WSL), or on the Mac (if you
don't want to use `brew`) you can use
[pyenv/pyenv-installer](https://github.com/pyenv/pyenv-installer) to
install the necessary tools. Before running this ensure that you have
installed the prerequisites for your platform according to the
[`pyenv` wiki
page](https://github.com/pyenv/pyenv/wiki/common-build-problems).
On WSL you should treat your platform as whatever Linux distribution
you've chosen to install.
Once you have installed `pyenv` you will need to add the following
lines to your `.bash_profile` (or `.profile`):
```bash
export PYENV_ROOT="$HOME/.pyenv"
export PATH="$PYENV_ROOT/bin:$PATH"
eval "$(pyenv init --path)"
```
and then add the following lines to your `.bashrc`:
```bash
eval "$(pyenv init -)"
eval "$(pyenv virtualenv-init -)"
```
If you want more information about setting up `pyenv` once installed, please run
```console
pyenv init
```
and
```console
pyenv virtualenv-init
```
for the current configuration instructions.
If you are using a shell other than `bash` you should follow the
instructions that the `pyenv-installer` script outputs.
You will need to reload your shell for these changes to take effect so
you can begin to use `pyenv`.
For a list of Python versions that are already installed and ready to
use with `pyenv`, use the command `pyenv versions`. To see a list of
the Python versions available to be installed and used with `pyenv`
use the command `pyenv install --list`. You can read more
[here](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md) about
the many things that `pyenv` can do. See
[here](https://github.com/pyenv/pyenv-virtualenv#usage) for the
additional capabilities that pyenv-virtualenv adds to the `pyenv`
command.
#### Creating the Python virtual environment ####
Once `pyenv` and `pyenv-virtualenv` are installed on your system, you
can create and configure the Python virtual environment with these
commands:
```console
cd log4j-affected-db
pyenv virtualenv <python_version_to_use> log4j-affected-db
pyenv local log4j-affected-db
pip install --upgrade pip setuptools wheel pre-commit
```
#### Installing the pre-commit hook ####
Now setting up pre-commit is as simple as:
```console
pre-commit install
```
At this point the pre-commit checks will run against any files that
you attempt to commit. If you want to run the checks against the
entire repo, just execute `pre-commit run --all-files`.
## Public domain ##
This project is in the public domain within the United States, and
copyright and related rights in the work worldwide are waived through
the [CC0 1.0 Universal public domain
dedication](https://creativecommons.org/publicdomain/zero/1.0/).
All contributions to this project will be released under the CC0
dedication. By submitting a pull request, you are agreeing to comply
with this waiver of copyright interest.

116
LICENSE
Unescape View File

@ -0,0 +1,116 @@
CC0 1.0 Universal
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator and
subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for the
purpose of contributing to a commons of creative, cultural and scientific
works ("Commons") that the public can reliably and without fear of later
claims of infringement build upon, modify, incorporate in other works, reuse
and redistribute as freely as possible in any form whatsoever and for any
purposes, including without limitation commercial purposes. These owners may
contribute to the Commons to promote the ideal of a free culture and the
further production of creative, cultural and scientific works, or to gain
reputation or greater distribution for their Work in part through the use and
efforts of others.
For these and/or other purposes and motivations, and without any expectation
of additional consideration or compensation, the person associating CC0 with a
Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
and publicly distribute the Work under its terms, with knowledge of his or her
Copyright and Related Rights in the Work and the meaning and intended legal
effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not limited
to, the following:
i. the right to reproduce, adapt, distribute, perform, display, communicate,
and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or likeness
depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data in
a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation thereof,
including any amended or successor version of such directive); and
vii. other similar, equivalent or corresponding rights throughout the world
based on applicable law or treaty, and any national implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention of,
applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
and Related Rights and associated claims and causes of action, whether now
known or unknown (including existing as well as future claims and causes of
action), in the Work (i) in all territories worldwide, (ii) for the maximum
duration provided by applicable law or treaty (including future time
extensions), (iii) in any current or future medium and for any number of
copies, and (iv) for any purpose whatsoever, including without limitation
commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
the Waiver for the benefit of each member of the public at large and to the
detriment of Affirmer's heirs and successors, fully intending that such Waiver
shall not be subject to revocation, rescission, cancellation, termination, or
any other legal or equitable action to disrupt the quiet enjoyment of the Work
by the public as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason be
judged legally invalid or ineffective under applicable law, then the Waiver
shall be preserved to the maximum extent permitted taking into account
Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
is so judged Affirmer hereby grants to each affected person a royalty-free,
non transferable, non sublicensable, non exclusive, irrevocable and
unconditional license to exercise Affirmer's Copyright and Related Rights in
the Work (i) in all territories worldwide, (ii) for the maximum duration
provided by applicable law or treaty (including future time extensions), (iii)
in any current or future medium and for any number of copies, and (iv) for any
purpose whatsoever, including without limitation commercial, advertising or
promotional purposes (the "License"). The License shall be deemed effective as
of the date CC0 was applied by Affirmer to the Work. Should any part of the
License for any reason be judged legally invalid or ineffective under
applicable law, such partial invalidity or ineffectiveness shall not
invalidate the remainder of the License, and in such case Affirmer hereby
affirms that he or she will not (i) exercise any of his or her remaining
Copyright and Related Rights in the Work or (ii) assert any associated claims
and causes of action with respect to the Work, in either case contrary to
Affirmer's express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or warranties
of any kind concerning the Work, express, implied, statutory or otherwise,
including without limitation warranties of title, merchantability, fitness
for a particular purpose, non infringement, or the absence of latent or
other defects, accuracy, or the present or absence of errors, whether or not
discoverable, all to the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without limitation
any person's Copyright and Related Rights in the Work. Further, Affirmer
disclaims responsibility for obtaining any necessary consents, permissions
or other rights required for any use of the Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to this
CC0 or use of the Work.
For more information, please see
<http://creativecommons.org/publicdomain/zero/1.0/>

87
README.md
Unescape View File

@ -1,46 +1,60 @@
# CISA Log4j (CVE-2021-44228) Vulnerability Guidance
# CISA Log4j (CVE-2021-44228) Vulnerability Guidance #
This repository provides CISA's guidance and an overview of related software
regarding the Log4j vulnerability (CVE-2021-44228). CISA encourages users and
administrators to review the
[official Apache release](https://logging.apache.org/log4j/2.x/security.html)
and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.
## Official CISA Guidance & Resources ##
- [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
- [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).
## CISA Current Activity Alerts ##
- [Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce)
- [CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228)
This repository provides CISA's guidance and an overview of related software regarding the Log4j vulnerability (CVE-2021-44228). CISA encourages users and administrators to review the [official Apache release](https://logging.apache.org/log4j/2.x/security.html) and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.
</br>
</br>
**Official CISA Guidance & Resources:**
</br>
Webpage: [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
</br>
CISA Director Jen Easterly's Statement: [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).
</br> CISA Current Activity Alerts:
</br>
[Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce)
</br>
[CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228)
</br>
National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
</br>
</br>
CISA will maintain a list of all publicly available information and vendor-supplied advisories regarding the Log4j vulnerability. This list is not a full list and will be updated continuously. If you have any additional information to share relevant to the Log4j vulnerability, please feel free to open an issue [here](https://github.com/cisagov/log4j-affected-db/issues). We have a template available for your submission. Please also feel free to submit a pull request.
# Mitigation Guidance
CISA urges organizations operating products marked as "Fixed" to immediately implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance).
CISA will maintain a list of all publicly available information and
vendor-supplied advisories regarding the Log4j vulnerability. This list is not
a full list and will be updated continuously. If you have any additional
information to share relevant to the Log4j vulnerability, please feel free to
open an issue [here](https://github.com/cisagov/log4j-affected-db/issues). We
have a template available for your submission. Please also feel free to submit
a pull request.
CISA urges organizations operating products marked as "Not Fixed" to immediately implement alternate controls, including:
* Install a WAF with rules that automatically update.
* Set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application.
* Ensure that any alerts from a vulnerable device are immediately actioned.
* Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report).
## Mitigation Guidance ##
# Status Descriptions
CISA urges organizations operating products marked as "Fixed" to immediately
implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance).
CISA urges organizations operating products marked as "Not Fixed" to immediately
implement alternate controls, including:
- Install a WAF with rules that automatically update.
- Set `log4j2.formatMsgNoLookups` to true by adding `-Dlog4j2.formatMsgNoLookups=True`
to the Java Virtual Machine command for starting your application.
- Ensure that any alerts from a vulnerable device are immediately actioned.
- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report).
## Status Descriptions ##
|Status| Description |
|------|-------------|
| Unknown | Status unknown. Default choice. |
| Unknown | Status unknown. Default choice. |
| Affected| Reported to be affected by CVE-2021-44228. |
| Not Affected | Reported to NOT be affected by CVE-2021-44228 and no further action necessary. |
| Fixed | Patch and/or mitigations available (see provided links). |
| Fixed | Patch and/or mitigations available (see provided links). |
| Under Investigation | Vendor investigating status. |
# Software List
## Software List ##
This list was initially populated using information from the following sources: Kevin Beaumont.
This list was initially populated using information from the following sources:
- Kevin Beaumont
| Vendor | Product| Version(s)| Status| Update available| Vendor link | Notes | Other References | Last Updated |
| ------ | -------------------- | ---- | ----- | --------------- | ----------- | ----- | ---------------- | ------------ |
@ -147,7 +161,7 @@ This list was initially populated using information from the following sources:
| Broadcom | Symantec Mail Security for Microsoft Exchange (SMSMSE) | | Under Investigation | | [Broadcom Support Portal](https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793) | | | |
| Broadcom | Symantec Messaging Gateway (SMG) | | Under Investigation | | [Broadcom Support Portal](https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793) | | | |
| Broadcom | Symantec Protection Engine (SPE) | | Under Investigation | | [Broadcom Support Portal](https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793) | | | |
| Broadcom | Symantec Protection for SharePoint Servers (SPSS) | | Under Investigation | | [Broadcom Support Portal](https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793) | | | |
| Broadcom | Symantec Protection for SharePoint Servers (SPSS) | | Under Investigation | | [Broadcom Support Portal](https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793) | | | |
| Broadcom | VIP Authentication Hub | | Under Investigation | | [Broadcom Support Portal](https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793) | | | |
| Broadcom | Web Isolation (WI) | | Under Investigation | | [Broadcom Support Portal](https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793) | | | |
| Broadcom | Web Security Service (WSS) | | Under Investigation | | [Broadcom Support Portal](https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793) | | | |
@ -212,7 +226,7 @@ This list was initially populated using information from the following sources:
| Cisco | Cisco Policy Suite | | Under Investigation | | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | |
| Cisco | Cisco Prime Central for Service Providers | | Under Investigation | | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | |
| Cisco | Cisco Prime Collaboration Manager | | Under Investigation | | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | |
| Cisco | Cisco Prime Collaboration Provisioning | | Under Investigation | | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | |
| Cisco | Cisco Prime Collaboration Provisioning | | Under Investigation | | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | |
| Cisco | Cisco Prime Infrastructure | | Under Investigation | | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | |
| Cisco | Cisco Prime License Manager | | Under Investigation | | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | |
| Cisco | Cisco Prime Network | | Under Investigation | | [Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) | | | |
@ -296,7 +310,7 @@ This list was initially populated using information from the following sources:
| Cloudera | CDP Private Cloud Base | Only version 7.x | Affected | | [https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019](https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019) | | | |
| Cloudera | Cloudera Manager (Including Backup Disaster Recovery (BDR) and Replication Manager) | All versions | Affected | | [https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019](https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019) | | | |
| Cloudera | Cloudera Data Warehouse (CDW) | All versions | Affected | | [https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019](https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019) | | | |
| Cloudera | Cloudera Machine Learning (CML) | All versions | Affected | | [https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019](https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019) | | | |
| Cloudera | Cloudera Machine Learning (CML) | All versions | Affected | | [https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019](https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019) | | | |
| Cloudera | Cloudera Data Engineering (CDE) | All versions | Affected | | [https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019](https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019) | | | |
| Cloudera | Management Console | All versions| Affected | | [https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019](https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019) | | | |
| Cloudera | Workload XM | All versions | Affected | | [https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019](https://my.cloudera.com/knowledge/TSB-2021-545-Critical-vulnerability-in-log4j2-CVE-2021-44228?id=332019) | | | |
@ -373,7 +387,7 @@ This list was initially populated using information from the following sources:
| Fortinet | FortiSwitch & FortiSwitchManager | | Not Affected | | [PSIRT Advisories FortiGuard](https://www.fortiguard.com/psirt/FG-IR-21-245) | | | |
| Fortinet | FortiToken Cloud | | Not Affected | | [PSIRT Advisories FortiGuard](https://www.fortiguard.com/psirt/FG-IR-21-245) | | | |
| Fortinet | FortiVoice | | Not Affected | | [PSIRT Advisories FortiGuard](https://www.fortiguard.com/psirt/FG-IR-21-245) | | | |
| Fortinet | FortiWeb Cloud | | Not Affected | | [PSIRT Advisories FortiGuard](https://www.fortiguard.com/psirt/FG-IR-21-245) | | ||
| Fortinet | FortiWeb Cloud | | Not Affected | | [PSIRT Advisories FortiGuard](https://www.fortiguard.com/psirt/FG-IR-21-245) | | ||
| FusionAuth | FusionAuth | 1.32 | Not Affected | | [log4j CVE: How it affects FusionAuth (TLDR: It doesn't) - FusionAuth](https://fusionauth.io/blog/2021/12/10/log4j-fusionauth/) | | | |
| Gradle | Gradle | | Not Affected | No | [Gradle Blog - Dealing with the critical Log4j vulnerability](https://blog.gradle.org/log4j-vulnerability) | Gradle Scala Compiler Plugin depends upon log4j-core but it is not used. | | |
| Gradle | Gradle Enterprise | < 2021.3.6 | Affected | Yes | [Gradle Enterprise Security Advisories - Remote code execution vulnerability due to use of Log4j2](https://security.gradle.com/advisory/2021-11) | | | |
@ -395,7 +409,7 @@ This list was initially populated using information from the following sources:
| McAfee | Network Security Manager (NSM) | | Under Investigation | | | | | |
| McAfee | Network Security Platform (NSP) | | Under Investigation | | | | | |
| McAfee | Threat Intelligence Exchange (TIE) | | Under Investigation | | | | | |
| Microsoft | Azure Data lake store java | < 2.3.10 | Affected | | [azure-data-lake-store-java/CHANGES.md at ed5d6304783286c3cfff0a1dee457a922e23ad48 · Azure/azure-data-lake-store-java · GitHub](https://github.com/Azure/azure-data-lake-store-java/blob/ed5d6304783286c3cfff0a1dee457a922e23ad48/CHANGES.md#version-2310) | | | |
| Microsoft | Azure Data lake store java | < 2.3.10 | Affected | | [azure-data-lake-store-java/CHANGES.md at ed5d6304783286c3cfff0a1dee457a922e23ad48 · Azure/azure-data-lake-store-java · GitHub](https://github.com/Azure/azure-data-lake-store-java/blob/ed5d6304783286c3cfff0a1dee457a922e23ad48/CHANGES.md#version-2310) | | | |
| MongoDB | MongoDB Atlas Search | | Affected | yes | [https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb](https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb) | | | |
| MongoDB | All other components of MongoDB Atlas (including Atlas Database, Data Lake, Charts) | | Not Affected | | [https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb](https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb) | | | |
| MongoDB | MongoDB Enterprise Advanced (including Enterprise Server, Ops Manager, Enterprise Kubernetes Operators) | | Not Affected | | [https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb](https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb) | | | |
@ -488,7 +502,7 @@ This list was initially populated using information from the following sources:
| SonicWall | CAS | | Under Investigation | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Under Review | | 12/12/2021 |
| SonicWall | WAF | | Under Investigation | | [Security Advisory (sonicwall.com)](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032) | Under Review | | 12/12/2021 |
| Sophos | Sophos Mobile EAS Proxy | < 9.7.2 | Affected | No | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | The Sophos Mobile EAS Proxy, running in Traffic Mode, is affected. Customers will need to download and install version 9.7.2, available from Monday December 13, 2021, on the same machine where it is currently running. PowerShell mode is not affected. Customers can download the Standalone EAS Proxy Installer version 9.7.2 from the Sophos website. | | 12/12/2021 |
| Sophos | Cloud Optix | | Fixed | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | Users may have noticed a brief outage around 12:30 GMT as updates were deployed.<br>There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted. | | 12/12/2021 |
| Sophos | Cloud Optix | | Fixed | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | Users may have noticed a brief outage around 12:30 GMT as updates were deployed. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted. | | 12/12/2021 |
| Sophos | Sophos Firewall (all versions) | | Not Affected | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | Sophos Firewall does not use Log4j. | | 12/12/2021 |
| Sophos | SG UTM (all versions) | | Not Affected | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | Sophos SG UTM does not use Log4j. | | 12/12/2021 |
| Sophos | SG UTM Manager (SUM) (all versions) | All versions | Not Affected | | [Advisory: Log4J zero-day vulnerability AKA Log4Shell (CVE-2021-44228) Sophos](https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce) | SUM does not use Log4j. | | 12/12/2021 |
@ -548,4 +562,3 @@ This list was initially populated using information from the following sources:
| VMware | VMware Workspace ONE Access Connector (VMware Identity Manager Connector) | 21.x, 20.10.x, 19.03.0.1 | Affected | No | [VMSA-2021-0028.1 (vmware.com)](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) | | | 12/12/2021 |
| VMware | VMware Horizon DaaS | 9.1.x, 9.0.x | Affected | No | [VMSA-2021-0028.1 (vmware.com)](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) | | | 12/12/2021 |
| VMware | VMware Horizon Cloud Connector | 1.x, 2.x | Affected | Yes | [VMSA-2021-0028.1 (vmware.com)](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) | | | 12/12/2021 |

Write Preview
Loading…
Cancel
Save