From a9091cacf82f9fbb12712ad3d517e0141719faba Mon Sep 17 00:00:00 2001 From: rajendrapshrestha Date: Thu, 23 Dec 2021 13:53:24 -0500 Subject: [PATCH 1/7] Update SOFTWARE-LIST.md Adding entries for Oracle Exadata and Oracle Enterprise Manager --- SOFTWARE-LIST.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 7d3fb15..aef8453 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2054,6 +2054,8 @@ download | | 12/20/2021 | | OpenNMS | | | | | [OpenNMS Link](https://www.opennms.com/en/blog/2021-12-10-opennms-products-affected-by-apache-log4j-vulnerability-cve-2021-44228/) | | | | | OpenSearch | | | | | [OpenSearch Discussion Link](https://discuss.opendistrocommunity.dev/t/log4j-patch-for-cve-2021-44228/7950) | | | | | Oracle | | | Affected | | [Oracle Security Alert](https://www.oracle.com/security-alerts/alert-cve-2021-44228.html) [My Oracle Support Document](https://support.oracle.com/rs?type=doc&id=2827611.1) | The support document is available to customers only and has not been reviewed by CISA | | 12/17/2021 | +| Oracle | Exadata | | Affected | | | | | | +| Oracle | Enterprise Manager | | Affected | | | | | | | Orgavision | | | | | [Orgavision Link](https://www.orgavision.com/neuigkeiten/sicherheitsluecke-java-library-log4j) | | | | | Osirium | PAM | | Not Affected | | [Osirium statement](https://www.osirium.com/blog/apache-log4j-vulnerability) | | | | | Osirium | PEM | | Not Affected | | [Osirium statement](https://www.osirium.com/blog/apache-log4j-vulnerability) | | | | From 2a508bf2dbac00fa4a62bdc2fe4b9cc69831d548 Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 15:00:34 -0500 Subject: [PATCH 2/7] Update SOFTWARE-LIST.md --- SOFTWARE-LIST.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index ea0f410..f02d88f 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -359,7 +359,7 @@ This list was initially populated using information from the following sources: | Check Point | CloudGuard | All | Not Affected | | [sk176865](https://supportcontent.checkpoint.com/solutions?id=sk176865) | | | | | Check Point | Harmony Endpoint & Harmony Mobile | All | Not Affected | | [sk176865](https://supportcontent.checkpoint.com/solutions?id=sk176865) | | | | | Check Point | Infinity Portal | | Not Affected | | [sk176865](https://supportcontent.checkpoint.com/solutions?id=sk176865) | | | | -| Check Point | Quantum Security Gateway | All | Not Affected | | [sk176865](https://supportcontent.checkpoint.com/solutions?id=sk176865) | | | +| Check Point | Quantum Security Gateway | All | Not Affected | | [sk176865](https://supportcontent.checkpoint.com/solutions?id=sk176865) | | | | | Check Point | Quantum Security Management | All | Not Affected | | [sk176865](https://supportcontent.checkpoint.com/solutions?id=sk176865) | Where used, uses the 1.8.0\_u241 version of the JRE that protects against this attack by default. | | | | Check Point | SMB | All | Not Affected | | [sk176865](https://supportcontent.checkpoint.com/solutions?id=sk176865) | | | | | Check Point | ThreatCloud | | Not Affected | | [sk176865](https://supportcontent.checkpoint.com/solutions?id=sk176865) | | | | @@ -1206,7 +1206,7 @@ This list was initially populated using information from the following sources: | Google Cloud | Cloud Natural Language API | | Not Affected | | [https://cloud.google.com/log4j2-security-advisory](https://cloud.google.com/log4j2-security-advisory) | Product does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. | | 12/21/2021 | | Google Cloud | Cloud Profiler | | Not Affected | | [https://cloud.google.com/log4j2-security-advisory](https://cloud.google.com/log4j2-security-advisory) | Product does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. | | 12/21/2021 | | Google Cloud | Cloud Router | | Not Affected | | [https://cloud.google.com/log4j2-security-advisory](https://cloud.google.com/log4j2-security-advisory) | Product does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. | | 12/20/2021 | -| Google Cloud | Cloud Run | | [https://cloud.google.com/log4j2-security-advisory](https://cloud.google.com/log4j2-security-advisory) | Product does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Cloud Run environments to identify components dependent on Log4j 2 and update them to the latest version. | | 12/21/2021 | +| Google Cloud | Cloud Run | | Not Affected | | [https://cloud.google.com/log4j2-security-advisory](https://cloud.google.com/log4j2-security-advisory) | Product does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Cloud Run environments to identify components dependent on Log4j 2 and update them to the latest version. | | 12/21/2021 | | Google Cloud | Cloud Run for Anthos | | Not Affected | | [https://cloud.google.com/log4j2-security-advisory](https://cloud.google.com/log4j2-security-advisory) | Product does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Cloud Run for Anthos environments to identify components dependent on Log4j 2 and update them to the latest version. | | 12/21/2021 | | Google Cloud | Cloud SDK | | Not Affected | | [https://cloud.google.com/log4j2-security-advisory](https://cloud.google.com/log4j2-security-advisory) | Product does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. | | 12/21/2021 | | Google Cloud | Cloud SQL | | Not Affected | | [https://cloud.google.com/log4j2-security-advisory](https://cloud.google.com/log4j2-security-advisory) | Product does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. | | 12/19/2021 | @@ -1897,7 +1897,7 @@ This list was initially populated using information from the following sources: | MailStore | | | | | [MailStore Statement](https://www.mailstore.com/en/blog/mailstore-affected-by-log4shell/) | | | | | Maltego | | | | | [Maltego Response to Logj4](https://www.maltego.com/blog/our-response-to-log4j-cve-2021-44228/) | | | | | ManageEngine | Servicedesk Plus | 11305 and below | Affected | | [Manage Engine Advisory](https://www.manageengine.com/products/service-desk/security-response-plan.html) | | | 12/15/2021 | -| ManageEngine | AD SelfService Plus | Build 6.1 build 6114 | Not Affected | | | | 12/27/21 | +| ManageEngine | AD SelfService Plus | Build 6.1 build 6114 | Not Affected | | | | | 12/27/21 | | ManageEngine Zoho | | | | | [Manage Engine Link](https://pitstop.manageengine.com/portal/en/community/topic/log4j-ad-manager-plus) | | | | | ManageEngine Zoho | ADManager Plus | On-Prem | | | [ManageEngine Vulnerability Impact](https://pitstop.manageengine.com/portal/en/community/topic/update-on-the-recent-apache-log4j2-vulnerability-impact-on-manageengine-on-premises-products-1) | | |12/16/2021| | ManageEngine Zoho | ADAudit Plus | On-Prem | | | [ManageEngine Vulnerability Impact](https://pitstop.manageengine.com/portal/en/community/topic/update-on-the-recent-apache-log4j2-vulnerability-impact-on-manageengine-on-premises-products-1) | | |12/16/2021| @@ -2012,8 +2012,7 @@ This list was initially populated using information from the following sources: | Nulab | Typetalk | N/A (SaaS) | Fixed | | [Nulab Blog Post](https://nulab.com/blog/company-news/log4shell/) | | | | | Nutanix | AHV | All | Not Affected | | [Nutanix Security Advisory](https://download.nutanix.com/alerts/Security_Advisory_0023.pdf) | | | 12/20/2021 | | Nutanix | AOS | LTS (including Prism Element), Community Edition | Not Affected | | [Nutanix Security Advisory](https://download.nutanix.com/alerts/Security_Advisory_0023.pdf) | | | 12/20/2021 | -| Nutanix | AOS | STS (including Prism Element) | Fixed | Yes | [Nutanix Security Advisory](https://download.nutanix.com/alerts/Security_Advisory_0023.pdf) | Patched in 6.0.2.4, available on the Portal for -download | | 12/20/2021 | +| Nutanix | AOS | STS (including Prism Element) | Fixed | Yes | [Nutanix Security Advisory](https://download.nutanix.com/alerts/Security_Advisory_0023.pdf) | Patched in 6.0.2.4, available on the Portal for download. | | 12/20/2021 | | Nutanix | Beam | | Fixed | | [Nutanix Security Advisory](https://download.nutanix.com/alerts/Security_Advisory_0023.pdf) | Saas-Based Procuct. See Advisory. | | 12/20/2021 | | Nutanix | BeamGov | | Fixed | | [Nutanix Security Advisory](https://download.nutanix.com/alerts/Security_Advisory_0023.pdf) | Saas-Based Procuct. See Advisory. | | 12/20/2021 | | Nutanix | Calm | All | Not Affected | | [Nutanix Security Advisory](https://download.nutanix.com/alerts/Security_Advisory_0023.pdf) | | | 12/20/2021 | From c534698363b8696d597182dcdd308a0d8c869df2 Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 16:13:37 -0500 Subject: [PATCH 3/7] Update CISA guidance --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 705f464..f2ad884 100644 --- a/README.md +++ b/README.md @@ -3,9 +3,10 @@ This repository provides [CISA's guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) and an overview of related software regarding the Log4j vulnerability -(CVE-2021-44228). CISA encourages users and administrators to review the +(CVE-2021-44228). CISA urges users and administrators to review the [official Apache release](https://logging.apache.org/log4j/2.x/security.html) -and upgrade to Log4j 2.17.1 or apply the recommended mitigations immediately. +for updates and mitigation guidance, and upgrade to Log4j 2.17.1 (Java 8), 2.12.4 +(Java 7) and 2.3.2 (Java 6). The information in this repository is provided "as is" for informational purposes only and is being assembled and updated by CISA through From 95e34c2637f4092f153ed9c71c70ecbd1d40640a Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Wed, 29 Dec 2021 16:18:03 -0500 Subject: [PATCH 4/7] Update CISA rec guidance --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index f2ad884..d338bed 100644 --- a/README.md +++ b/README.md @@ -3,10 +3,10 @@ This repository provides [CISA's guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) and an overview of related software regarding the Log4j vulnerability -(CVE-2021-44228). CISA urges users and administrators to review the -[official Apache release](https://logging.apache.org/log4j/2.x/security.html) -for updates and mitigation guidance, and upgrade to Log4j 2.17.1 (Java 8), 2.12.4 -(Java 7) and 2.3.2 (Java 6). +(CVE-2021-44228). CISA urges users and administrators to upgrade to Log4j 2.17.1 +(Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6), and review and monitor the +[Apache Log4j Security Vulnerabilities webpage](https://logging.apache.org/log4j/2.x/security.html) +for updates and mitigation guidance. The information in this repository is provided "as is" for informational purposes only and is being assembled and updated by CISA through @@ -35,7 +35,7 @@ or imply their endorsement, recommendation, or favoring by CISA. National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) -## Mitigation Guidance ## +## CISA Mitigation Guidance ## When updates are available, agencies must update software using Log4j to the newest version, which is the most From 6a5d1e8e1e92aec63b8eb7f0bb2059c789ea001f Mon Sep 17 00:00:00 2001 From: rajendrapshrestha Date: Thu, 30 Dec 2021 09:00:17 -0500 Subject: [PATCH 5/7] Update SOFTWARE-LIST.md Oracle Exadata & Oracle EM - Added affected version and link to Oracle site --- SOFTWARE-LIST.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 0ea45e0..a9a7240 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2069,8 +2069,8 @@ download | | 12/20/2021 | | OpenSearch | | | | | [OpenSearch Discussion Link](https://discuss.opendistrocommunity.dev/t/log4j-patch-for-cve-2021-44228/7950) | | | | | OpenText | | | | | [OpenText Log4J Remote Code Execution](https://www.opentext.com/support/log4j-remote-code-execution-advisory) | | | 12/23/2021 | | Oracle | | | Affected | | [Oracle Security Alert](https://www.oracle.com/security-alerts/alert-cve-2021-44228.html) [My Oracle Support Document](https://support.oracle.com/rs?type=doc&id=2827611.1) | The support document is available to customers only and has not been reviewed by CISA | | 12/17/2021 | -| Oracle | Exadata | | Affected | | | | | | -| Oracle | Enterprise Manager | | Affected | | | | | | +| Oracle | Exadata | <21.3.4 | Affected | | https://www.oracle.com/security-alerts/alert-cve-2021-44228.html (patch status and other security guidance is restricted to Oracle account/support members) | | | | +| Oracle | Enterprise Manager | 13.5 ,13.4 & 13.3.2 | Affected | | https://www.oracle.com/security-alerts/alert-cve-2021-44228.html (patch status and other security guidance is restricted to Oracle account/support members) | | | | | Orgavision | | | | | [Orgavision Link](https://www.orgavision.com/neuigkeiten/sicherheitsluecke-java-library-log4j) | | | | | Osirium | PAM | | Not Affected | | [Osirium statement](https://www.osirium.com/blog/apache-log4j-vulnerability) | | | | | Osirium | PEM | | Not Affected | | [Osirium statement](https://www.osirium.com/blog/apache-log4j-vulnerability) | | | | From 3dce153b353e60cc217e5f29c4989f8853fbb98b Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 30 Dec 2021 09:07:01 -0500 Subject: [PATCH 6/7] Add note & dates --- SOFTWARE-LIST.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 727a1e8..96db1ed 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2068,8 +2068,8 @@ This list was initially populated using information from the following sources: | OpenSearch | | | | | [OpenSearch Discussion Link](https://discuss.opendistrocommunity.dev/t/log4j-patch-for-cve-2021-44228/7950) | | | | | OpenText | | | | | [OpenText Log4J Remote Code Execution](https://www.opentext.com/support/log4j-remote-code-execution-advisory) | | | 12/23/2021 | | Oracle | | | Affected | | [Oracle Security Alert](https://www.oracle.com/security-alerts/alert-cve-2021-44228.html) [My Oracle Support Document](https://support.oracle.com/rs?type=doc&id=2827611.1) | The support document is available to customers only and has not been reviewed by CISA | | 12/17/2021 | -| Oracle | Exadata | <21.3.4 | Affected | | https://www.oracle.com/security-alerts/alert-cve-2021-44228.html (patch status and other security guidance is restricted to Oracle account/support members) | | | | -| Oracle | Enterprise Manager | 13.5 ,13.4 & 13.3.2 | Affected | | https://www.oracle.com/security-alerts/alert-cve-2021-44228.html (patch status and other security guidance is restricted to Oracle account/support members) | | | | +| Oracle | Exadata | <21.3.4 | Affected | | https://www.oracle.com/security-alerts/alert-cve-2021-44228.html (patch status and other security guidance is restricted to Oracle account/support members) | The support document is available to customers only and has not been reviewed by CISA. | | 12/17/2021 | +| Oracle | Enterprise Manager | 13.5 ,13.4 & 13.3.2 | Affected | | https://www.oracle.com/security-alerts/alert-cve-2021-44228.html (patch status and other security guidance is restricted to Oracle account/support members) | The support document is available to customers only and has not been reviewed by CISA. | | 12/17/2021 | | Orgavision | | | | | [Orgavision Link](https://www.orgavision.com/neuigkeiten/sicherheitsluecke-java-library-log4j) | | | | | Osirium | PAM | | Not Affected | | [Osirium statement](https://www.osirium.com/blog/apache-log4j-vulnerability) | | | | | Osirium | PEM | | Not Affected | | [Osirium statement](https://www.osirium.com/blog/apache-log4j-vulnerability) | | | | From 1c363a75d198d988316d0c4d4379b26660b8bd5b Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 30 Dec 2021 09:10:13 -0500 Subject: [PATCH 7/7] Fix bare urls Oracle --- SOFTWARE-LIST.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md index 96db1ed..13ebbff 100644 --- a/SOFTWARE-LIST.md +++ b/SOFTWARE-LIST.md @@ -2068,8 +2068,8 @@ This list was initially populated using information from the following sources: | OpenSearch | | | | | [OpenSearch Discussion Link](https://discuss.opendistrocommunity.dev/t/log4j-patch-for-cve-2021-44228/7950) | | | | | OpenText | | | | | [OpenText Log4J Remote Code Execution](https://www.opentext.com/support/log4j-remote-code-execution-advisory) | | | 12/23/2021 | | Oracle | | | Affected | | [Oracle Security Alert](https://www.oracle.com/security-alerts/alert-cve-2021-44228.html) [My Oracle Support Document](https://support.oracle.com/rs?type=doc&id=2827611.1) | The support document is available to customers only and has not been reviewed by CISA | | 12/17/2021 | -| Oracle | Exadata | <21.3.4 | Affected | | https://www.oracle.com/security-alerts/alert-cve-2021-44228.html (patch status and other security guidance is restricted to Oracle account/support members) | The support document is available to customers only and has not been reviewed by CISA. | | 12/17/2021 | -| Oracle | Enterprise Manager | 13.5 ,13.4 & 13.3.2 | Affected | | https://www.oracle.com/security-alerts/alert-cve-2021-44228.html (patch status and other security guidance is restricted to Oracle account/support members) | The support document is available to customers only and has not been reviewed by CISA. | | 12/17/2021 | +| Oracle | Exadata | <21.3.4 | Affected | | [https://www.oracle.com/security-alerts/alert-cve-2021-44228.html](https://www.oracle.com/security-alerts/alert-cve-2021-44228.html) | Patch status and other security guidance is restricted to Oracle account/support members. The support document is available to customers only and has not been reviewed by CISA. | | 12/17/2021 | +| Oracle | Enterprise Manager | 13.5 ,13.4 & 13.3.2 | Affected | | [https://www.oracle.com/security-alerts/alert-cve-2021-44228.html](https://www.oracle.com/security-alerts/alert-cve-2021-44228.html) | Patch status and other security guidance is restricted to Oracle account/support members. The support document is available to customers only and has not been reviewed by CISA. | | 12/17/2021 | | Orgavision | | | | | [Orgavision Link](https://www.orgavision.com/neuigkeiten/sicherheitsluecke-java-library-log4j) | | | | | Osirium | PAM | | Not Affected | | [Osirium statement](https://www.osirium.com/blog/apache-log4j-vulnerability) | | | | | Osirium | PEM | | Not Affected | | [Osirium statement](https://www.osirium.com/blog/apache-log4j-vulnerability) | | | |