mirror of
https://github.com/cisagov/log4j-affected-db.git
synced 2024-11-23 00:50:48 +00:00
Merge branch 'develop' into Splunk
This commit is contained in:
commit
b1a245d084
5 changed files with 3029 additions and 50 deletions
82
.github/ISSUE_TEMPLATE/product-submission-form.yml
vendored
Normal file
82
.github/ISSUE_TEMPLATE/product-submission-form.yml
vendored
Normal file
|
@ -0,0 +1,82 @@
|
||||||
|
---
|
||||||
|
name: Submit a Product
|
||||||
|
description: Submit a product to the database
|
||||||
|
title: "[Product Submission]: <vendor> - <product>"
|
||||||
|
body:
|
||||||
|
- type: input
|
||||||
|
id: product-vendor
|
||||||
|
attributes:
|
||||||
|
label: Product vendor
|
||||||
|
description: Who is the vendor for the product?
|
||||||
|
placeholder: Cisco, Dell, IBM, etc.
|
||||||
|
validations:
|
||||||
|
required: true
|
||||||
|
- type: input
|
||||||
|
id: product-name
|
||||||
|
attributes:
|
||||||
|
label: Product name
|
||||||
|
description: What is the name of the product?
|
||||||
|
placeholder: AppDynamics, BigFix Inventory, Centera, etc.
|
||||||
|
validations:
|
||||||
|
required: true
|
||||||
|
- type: input
|
||||||
|
id: product-versions
|
||||||
|
attributes:
|
||||||
|
label: Product version(s)
|
||||||
|
description: What version(s) of the product is (are) affected?
|
||||||
|
placeholder: v2; 1.5; >3; >=4; >5, <6; etc.
|
||||||
|
validations:
|
||||||
|
required: true
|
||||||
|
- type: dropdown
|
||||||
|
id: product-status
|
||||||
|
attributes:
|
||||||
|
label: Product status
|
||||||
|
description: What is the current status of the affected product?
|
||||||
|
options:
|
||||||
|
- Unknown
|
||||||
|
- Affected
|
||||||
|
- Not Affected
|
||||||
|
- Fixed
|
||||||
|
- Under Investigation
|
||||||
|
validations:
|
||||||
|
required: true
|
||||||
|
- type: markdown
|
||||||
|
attributes:
|
||||||
|
value: |
|
||||||
|
Please use the information below when selecting a status.
|
||||||
|
|
||||||
|
- Unknown - Status unknown. Default choice.
|
||||||
|
- Affected - Reported to be affected by CVE-2021-44228.
|
||||||
|
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no
|
||||||
|
further action necessary.
|
||||||
|
- Fixed - Patch and/or mitigations available (see provided links).
|
||||||
|
- Under Investigation - Vendor investigating status.
|
||||||
|
- type: dropdown
|
||||||
|
id: product-updated
|
||||||
|
attributes:
|
||||||
|
label: Product update
|
||||||
|
description: Is there an update available for the product?
|
||||||
|
options:
|
||||||
|
- Available
|
||||||
|
- Not Available
|
||||||
|
validations:
|
||||||
|
required: true
|
||||||
|
- type: input
|
||||||
|
id: product-update-link
|
||||||
|
attributes:
|
||||||
|
label: Product update link
|
||||||
|
description: Where can the update be found, if one is available?
|
||||||
|
- type: input
|
||||||
|
id: product-last-updated
|
||||||
|
attributes:
|
||||||
|
label: Last updated
|
||||||
|
description: When was the product last updated?
|
||||||
|
placeholder: "2021-12-06"
|
||||||
|
- type: textarea
|
||||||
|
id: product-notes
|
||||||
|
attributes:
|
||||||
|
label: Notes
|
||||||
|
- type: textarea
|
||||||
|
id: product-references
|
||||||
|
attributes:
|
||||||
|
label: References
|
|
@ -1,27 +0,0 @@
|
||||||
---
|
|
||||||
name: Product Submission Template
|
|
||||||
about: Template for product submissions of all publicly available information
|
|
||||||
and vendor-supplied advisories regarding the log4j vulnerability.
|
|
||||||
---
|
|
||||||
# Submission Template #
|
|
||||||
|
|
||||||
Please provide the following information.
|
|
||||||
|
|
||||||
- Vendor Name
|
|
||||||
- Product Name
|
|
||||||
- Version(s) affected
|
|
||||||
- Status: Please choose from one of the following - Unknown, Affected,
|
|
||||||
Not Affected, Fixed, and Under Investigation.
|
|
||||||
- Update Available: Yes or No (If Yes, please provide link to information)
|
|
||||||
- Notes
|
|
||||||
- References
|
|
||||||
- Last Updated: Date of last update
|
|
||||||
|
|
||||||
For questions about choice for status, please see the information below.
|
|
||||||
|
|
||||||
- Unknown - Status unknown. Default choice.
|
|
||||||
- Affected - Reported to be affected by CVE-2021-44228.
|
|
||||||
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further
|
|
||||||
action necessary.
|
|
||||||
- Fixed - Patch and/or mitigations available (see provided links).
|
|
||||||
- Under Investigation - Vendor investigating status.
|
|
80
.github/ISSUE_TEMPLATE/product-update-form.yml
vendored
Normal file
80
.github/ISSUE_TEMPLATE/product-update-form.yml
vendored
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
---
|
||||||
|
name: Update a Product
|
||||||
|
description: Update information about a product in the database
|
||||||
|
title: "[Product Update]: <vendor> - <product>"
|
||||||
|
body:
|
||||||
|
- type: input
|
||||||
|
id: product-vendor
|
||||||
|
attributes:
|
||||||
|
label: Product vendor
|
||||||
|
description: Who is the vendor for the product?
|
||||||
|
placeholder: Cisco, Dell, IBM, etc.
|
||||||
|
validations:
|
||||||
|
required: true
|
||||||
|
- type: input
|
||||||
|
id: product-name
|
||||||
|
attributes:
|
||||||
|
label: Product name
|
||||||
|
description: What is the name of the product?
|
||||||
|
placeholder: AppDynamics, BigFix Inventory, Centera, etc.
|
||||||
|
validations:
|
||||||
|
required: true
|
||||||
|
- type: textarea
|
||||||
|
id: update-context
|
||||||
|
attributes:
|
||||||
|
label: Context
|
||||||
|
description: Please provide context around the update.
|
||||||
|
- type: input
|
||||||
|
id: product-versions
|
||||||
|
attributes:
|
||||||
|
label: Product version(s)
|
||||||
|
description: What version(s) of the product are affected?
|
||||||
|
- type: dropdown
|
||||||
|
id: product-status
|
||||||
|
attributes:
|
||||||
|
label: Product status
|
||||||
|
description: What is the current status of the affected product?
|
||||||
|
options:
|
||||||
|
- Unknown
|
||||||
|
- Affected
|
||||||
|
- Not Affected
|
||||||
|
- Fixed
|
||||||
|
- Under Investigation
|
||||||
|
- type: markdown
|
||||||
|
attributes:
|
||||||
|
value: |
|
||||||
|
Please use the information below when selecting a status.
|
||||||
|
|
||||||
|
- Unknown - Status unknown. Default choice.
|
||||||
|
- Affected - Reported to be affected by CVE-2021-44228.
|
||||||
|
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no
|
||||||
|
further action necessary.
|
||||||
|
- Fixed - Patch and/or mitigations available (see provided links).
|
||||||
|
- Under Investigation - Vendor investigating status.
|
||||||
|
- type: dropdown
|
||||||
|
id: product-updated
|
||||||
|
attributes:
|
||||||
|
label: Product update
|
||||||
|
description: Is there an update available for the product?
|
||||||
|
options:
|
||||||
|
- Available
|
||||||
|
- Not Available
|
||||||
|
- type: input
|
||||||
|
id: product-update-link
|
||||||
|
attributes:
|
||||||
|
label: Product update link
|
||||||
|
description: Where can the update be found, if one is available?
|
||||||
|
- type: input
|
||||||
|
id: product-last-updated
|
||||||
|
attributes:
|
||||||
|
label: Last updated
|
||||||
|
description: When was the product last updated?
|
||||||
|
placeholder: "2021-12-06"
|
||||||
|
- type: textarea
|
||||||
|
id: product-notes
|
||||||
|
attributes:
|
||||||
|
label: Notes
|
||||||
|
- type: textarea
|
||||||
|
id: product-references
|
||||||
|
attributes:
|
||||||
|
label: References
|
70
README.md
70
README.md
|
@ -3,9 +3,10 @@
|
||||||
This repository provides
|
This repository provides
|
||||||
[CISA's guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
|
[CISA's guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
|
||||||
and an overview of related software regarding the Log4j vulnerability
|
and an overview of related software regarding the Log4j vulnerability
|
||||||
(CVE-2021-44228). CISA encourages users and administrators to review the
|
(CVE-2021-44228). CISA urges users and administrators to upgrade to Log4j 2.17.1
|
||||||
[official Apache release](https://logging.apache.org/log4j/2.x/security.html)
|
(Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6), and review and monitor the
|
||||||
and upgrade to Log4j 2.17.0 or apply the recommended mitigations immediately.
|
[Apache Log4j Security Vulnerabilities webpage](https://logging.apache.org/log4j/2.x/security.html)
|
||||||
|
for updates and mitigation guidance.
|
||||||
|
|
||||||
The information in this repository is provided "as is" for informational
|
The information in this repository is provided "as is" for informational
|
||||||
purposes only and is being assembled and updated by CISA through
|
purposes only and is being assembled and updated by CISA through
|
||||||
|
@ -20,43 +21,63 @@ or imply their endorsement, recommendation, or favoring by CISA.
|
||||||
## Official CISA Guidance & Resources ##
|
## Official CISA Guidance & Resources ##
|
||||||
|
|
||||||
- [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
|
- [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
|
||||||
|
- [CISA ED 22-02: Apache Log4j Recommended Mitigation Measures](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures)
|
||||||
|
- [CISA ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a)
|
||||||
- [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02)
|
- [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02)
|
||||||
- [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).
|
- [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).
|
||||||
|
|
||||||
## CISA Current Activity Alerts ##
|
## CISA Current Activity Alerts ##
|
||||||
|
|
||||||
|
- [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/22/mitigating-log4shell-and-other-log4j-related-vulnerabilities)
|
||||||
- [CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache)
|
- [CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache)
|
||||||
- [Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce)
|
- [Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce)
|
||||||
- [CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228)
|
- [CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228)
|
||||||
|
|
||||||
National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
|
National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
|
||||||
|
|
||||||
## Mitigation Guidance ##
|
## CISA Mitigation Guidance ##
|
||||||
|
|
||||||
CISA urges organizations operating products marked as "Fixed" to immediately
|
When updates are available, agencies must update software
|
||||||
implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance).
|
using Log4j to the newest version, which is the most
|
||||||
|
effective and manageable long-term option. Where
|
||||||
|
updating is not possible, the following mitigating
|
||||||
|
measures can be considered as a temporary solution
|
||||||
|
and apply to the entire solution stack.
|
||||||
|
|
||||||
CISA urges organizations operating products marked as "Not Fixed" to immediately
|
- **Disable Log4j library.** Disabling software using the
|
||||||
implement alternate controls, including:
|
Log4j library is an effective measure, favoring
|
||||||
|
controlled downtime over adversary-caused issues.
|
||||||
|
This option could cause operational impacts and limit
|
||||||
|
visibility into other issues.
|
||||||
|
- **Disable JNDI lookups or disable remote codebases.**
|
||||||
|
This option, while effective, may involve
|
||||||
|
developer work and could impact functionality.
|
||||||
|
- **Disconnect affected stacks.** Solution stacks not
|
||||||
|
connected to agency networks pose a dramatically
|
||||||
|
lower risk from attack. Consider temporarily
|
||||||
|
disconnecting the stack from agency networks.
|
||||||
|
- **Isolate the system.** Create a “vulnerable network”
|
||||||
|
VLAN and segment the solution stack from the
|
||||||
|
rest of the enterprise network.
|
||||||
|
- **Deploy a properly configured Web Application
|
||||||
|
Firewall (WAF) in front of the solution stack.**
|
||||||
|
Deploying a WAF is an important, but incomplete,
|
||||||
|
solution. While threat actors will be able to
|
||||||
|
bypass this mitigation, the reduction in alerting
|
||||||
|
will allow an agency SOC to focus on a smaller
|
||||||
|
set of alerts.
|
||||||
|
- **Apply micropatch.** There are several micropatches
|
||||||
|
available. They are not a part of the official
|
||||||
|
update but may limit agency risk.
|
||||||
|
- Report incidents promptly to CISA and/or the FBI
|
||||||
|
[here](https://www.cisa.gov/uscert/report).
|
||||||
|
|
||||||
- Install a WAF with rules that automatically update.
|
For more information regarding CISA recommended mitigation measures please visit
|
||||||
- Set `log4j2.formatMsgNoLookups` to true by adding `-Dlog4j2.formatMsgNoLookups=True`
|
[here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures).
|
||||||
to the Java Virtual Machine command for starting your application.
|
|
||||||
- Ensure that any alerts from a vulnerable device are immediately actioned.
|
|
||||||
- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report).
|
|
||||||
|
|
||||||
## Status Descriptions ##
|
|
||||||
|
|
||||||
| Status | Description |
|
|
||||||
| ------ | ----------- |
|
|
||||||
| Unknown | Status unknown. Default choice. |
|
|
||||||
| Affected | Reported to be affected by CVE-2021-44228. |
|
|
||||||
| Not Affected | Reported to NOT be affected by CVE-2021-44228 and no further action necessary. |
|
|
||||||
| Fixed | Patch and/or mitigations available (see provided links). |
|
|
||||||
| Under Investigation | Vendor investigating status. |
|
|
||||||
|
|
||||||
## Software List ##
|
## Software List ##
|
||||||
|
|
||||||
|
<<<<<<< HEAD
|
||||||
This list was initially populated using information from the following sources:
|
This list was initially populated using information from the following sources:
|
||||||
|
|
||||||
- Kevin Beaumont
|
- Kevin Beaumont
|
||||||
|
@ -2393,3 +2414,6 @@ This list was initially populated using information from the following sources:
|
||||||
| Zscaler | See Link (Multiple Products) | | Not Affected | No | [CVE-2021-44228 log4j Vulnerability](https://trust.zscaler.com/posts/9581) | | | 12/15/2012 |
|
| Zscaler | See Link (Multiple Products) | | Not Affected | No | [CVE-2021-44228 log4j Vulnerability](https://trust.zscaler.com/posts/9581) | | | 12/15/2012 |
|
||||||
| Zyxel | | | | | [Zyxel Security Advisory for Apache Log4j](https://www.zyxel.com/support/Zyxel_security_advisory_for_Apache_Log4j_RCE_vulnerability.shtml) | | | |
|
| Zyxel | | | | | [Zyxel Security Advisory for Apache Log4j](https://www.zyxel.com/support/Zyxel_security_advisory_for_Apache_Log4j_RCE_vulnerability.shtml) | | | |
|
||||||
| Zyxel | Security Firewall/Gateways | ZLD Firmware Security Services, Nebula | Not Affected | N/A | [Zyxel Security Advisory](https://community.zyxel.com/en/discussion/12229/zyxel-security-advisory-for-apache-log4j-rce-vulnerability) | | | 12/14/2021 |
|
| Zyxel | Security Firewall/Gateways | ZLD Firmware Security Services, Nebula | Not Affected | N/A | [Zyxel Security Advisory](https://community.zyxel.com/en/discussion/12229/zyxel-security-advisory-for-apache-log4j-rce-vulnerability) | | | 12/14/2021 |
|
||||||
|
=======
|
||||||
|
To view the full list of vendors & software [click here](./SOFTWARE-LIST.md).
|
||||||
|
>>>>>>> develop
|
||||||
|
|
2820
SOFTWARE-LIST.md
Normal file
2820
SOFTWARE-LIST.md
Normal file
File diff suppressed because it is too large
Load diff
Loading…
Reference in a new issue