1
0
Fork 0
mirror of https://github.com/cisagov/log4j-affected-db.git synced 2024-11-23 00:50:48 +00:00

Merge branch 'develop' into Splunk

This commit is contained in:
Dave Herrald 2021-12-30 11:31:45 -07:00
commit b1a245d084
5 changed files with 3029 additions and 50 deletions

View file

@ -0,0 +1,82 @@
---
name: Submit a Product
description: Submit a product to the database
title: "[Product Submission]: <vendor> - <product>"
body:
- type: input
id: product-vendor
attributes:
label: Product vendor
description: Who is the vendor for the product?
placeholder: Cisco, Dell, IBM, etc.
validations:
required: true
- type: input
id: product-name
attributes:
label: Product name
description: What is the name of the product?
placeholder: AppDynamics, BigFix Inventory, Centera, etc.
validations:
required: true
- type: input
id: product-versions
attributes:
label: Product version(s)
description: What version(s) of the product is (are) affected?
placeholder: v2; 1.5; >3; >=4; >5, <6; etc.
validations:
required: true
- type: dropdown
id: product-status
attributes:
label: Product status
description: What is the current status of the affected product?
options:
- Unknown
- Affected
- Not Affected
- Fixed
- Under Investigation
validations:
required: true
- type: markdown
attributes:
value: |
Please use the information below when selecting a status.
- Unknown - Status unknown. Default choice.
- Affected - Reported to be affected by CVE-2021-44228.
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no
further action necessary.
- Fixed - Patch and/or mitigations available (see provided links).
- Under Investigation - Vendor investigating status.
- type: dropdown
id: product-updated
attributes:
label: Product update
description: Is there an update available for the product?
options:
- Available
- Not Available
validations:
required: true
- type: input
id: product-update-link
attributes:
label: Product update link
description: Where can the update be found, if one is available?
- type: input
id: product-last-updated
attributes:
label: Last updated
description: When was the product last updated?
placeholder: "2021-12-06"
- type: textarea
id: product-notes
attributes:
label: Notes
- type: textarea
id: product-references
attributes:
label: References

View file

@ -1,27 +0,0 @@
---
name: Product Submission Template
about: Template for product submissions of all publicly available information
and vendor-supplied advisories regarding the log4j vulnerability.
---
# Submission Template #
Please provide the following information.
- Vendor Name
- Product Name
- Version(s) affected
- Status: Please choose from one of the following - Unknown, Affected,
Not Affected, Fixed, and Under Investigation.
- Update Available: Yes or No (If Yes, please provide link to information)
- Notes
- References
- Last Updated: Date of last update
For questions about choice for status, please see the information below.
- Unknown - Status unknown. Default choice.
- Affected - Reported to be affected by CVE-2021-44228.
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further
action necessary.
- Fixed - Patch and/or mitigations available (see provided links).
- Under Investigation - Vendor investigating status.

View file

@ -0,0 +1,80 @@
---
name: Update a Product
description: Update information about a product in the database
title: "[Product Update]: <vendor> - <product>"
body:
- type: input
id: product-vendor
attributes:
label: Product vendor
description: Who is the vendor for the product?
placeholder: Cisco, Dell, IBM, etc.
validations:
required: true
- type: input
id: product-name
attributes:
label: Product name
description: What is the name of the product?
placeholder: AppDynamics, BigFix Inventory, Centera, etc.
validations:
required: true
- type: textarea
id: update-context
attributes:
label: Context
description: Please provide context around the update.
- type: input
id: product-versions
attributes:
label: Product version(s)
description: What version(s) of the product are affected?
- type: dropdown
id: product-status
attributes:
label: Product status
description: What is the current status of the affected product?
options:
- Unknown
- Affected
- Not Affected
- Fixed
- Under Investigation
- type: markdown
attributes:
value: |
Please use the information below when selecting a status.
- Unknown - Status unknown. Default choice.
- Affected - Reported to be affected by CVE-2021-44228.
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no
further action necessary.
- Fixed - Patch and/or mitigations available (see provided links).
- Under Investigation - Vendor investigating status.
- type: dropdown
id: product-updated
attributes:
label: Product update
description: Is there an update available for the product?
options:
- Available
- Not Available
- type: input
id: product-update-link
attributes:
label: Product update link
description: Where can the update be found, if one is available?
- type: input
id: product-last-updated
attributes:
label: Last updated
description: When was the product last updated?
placeholder: "2021-12-06"
- type: textarea
id: product-notes
attributes:
label: Notes
- type: textarea
id: product-references
attributes:
label: References

View file

@ -3,9 +3,10 @@
This repository provides This repository provides
[CISA's guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) [CISA's guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
and an overview of related software regarding the Log4j vulnerability and an overview of related software regarding the Log4j vulnerability
(CVE-2021-44228). CISA encourages users and administrators to review the (CVE-2021-44228). CISA urges users and administrators to upgrade to Log4j 2.17.1
[official Apache release](https://logging.apache.org/log4j/2.x/security.html) (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6), and review and monitor the
and upgrade to Log4j 2.17.0 or apply the recommended mitigations immediately. [Apache Log4j Security Vulnerabilities webpage](https://logging.apache.org/log4j/2.x/security.html)
for updates and mitigation guidance.
The information in this repository is provided "as is" for informational The information in this repository is provided "as is" for informational
purposes only and is being assembled and updated by CISA through purposes only and is being assembled and updated by CISA through
@ -20,43 +21,63 @@ or imply their endorsement, recommendation, or favoring by CISA.
## Official CISA Guidance & Resources ## ## Official CISA Guidance & Resources ##
- [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) - [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
- [CISA ED 22-02: Apache Log4j Recommended Mitigation Measures](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures)
- [CISA ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a)
- [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02) - [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02)
- [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability). - [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).
## CISA Current Activity Alerts ## ## CISA Current Activity Alerts ##
- [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/22/mitigating-log4shell-and-other-log4j-related-vulnerabilities)
- [CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache) - [CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache)
- [Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce) - [Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce)
- [CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228) - [CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228)
National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
## Mitigation Guidance ## ## CISA Mitigation Guidance ##
CISA urges organizations operating products marked as "Fixed" to immediately When updates are available, agencies must update software
implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance). using Log4j to the newest version, which is the most
effective and manageable long-term option. Where
updating is not possible, the following mitigating
measures can be considered as a temporary solution
and apply to the entire solution stack.
CISA urges organizations operating products marked as "Not Fixed" to immediately - **Disable Log4j library.** Disabling software using the
implement alternate controls, including: Log4j library is an effective measure, favoring
controlled downtime over adversary-caused issues.
This option could cause operational impacts and limit
visibility into other issues.
- **Disable JNDI lookups or disable remote codebases.**
This option, while effective, may involve
developer work and could impact functionality.
- **Disconnect affected stacks.** Solution stacks not
connected to agency networks pose a dramatically
lower risk from attack. Consider temporarily
disconnecting the stack from agency networks.
- **Isolate the system.** Create a “vulnerable network”
VLAN and segment the solution stack from the
rest of the enterprise network.
- **Deploy a properly configured Web Application
Firewall (WAF) in front of the solution stack.**
Deploying a WAF is an important, but incomplete,
solution. While threat actors will be able to
bypass this mitigation, the reduction in alerting
will allow an agency SOC to focus on a smaller
set of alerts.
- **Apply micropatch.** There are several micropatches
available. They are not a part of the official
update but may limit agency risk.
- Report incidents promptly to CISA and/or the FBI
[here](https://www.cisa.gov/uscert/report).
- Install a WAF with rules that automatically update. For more information regarding CISA recommended mitigation measures please visit
- Set `log4j2.formatMsgNoLookups` to true by adding `-Dlog4j2.formatMsgNoLookups=True` [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures).
to the Java Virtual Machine command for starting your application.
- Ensure that any alerts from a vulnerable device are immediately actioned.
- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report).
## Status Descriptions ##
| Status | Description |
| ------ | ----------- |
| Unknown | Status unknown. Default choice. |
| Affected | Reported to be affected by CVE-2021-44228. |
| Not Affected | Reported to NOT be affected by CVE-2021-44228 and no further action necessary. |
| Fixed | Patch and/or mitigations available (see provided links). |
| Under Investigation | Vendor investigating status. |
## Software List ## ## Software List ##
<<<<<<< HEAD
This list was initially populated using information from the following sources: This list was initially populated using information from the following sources:
- Kevin Beaumont - Kevin Beaumont
@ -2393,3 +2414,6 @@ This list was initially populated using information from the following sources:
| Zscaler | See Link (Multiple Products) | | Not Affected | No | [CVE-2021-44228 log4j Vulnerability](https://trust.zscaler.com/posts/9581) | | | 12/15/2012 | | Zscaler | See Link (Multiple Products) | | Not Affected | No | [CVE-2021-44228 log4j Vulnerability](https://trust.zscaler.com/posts/9581) | | | 12/15/2012 |
| Zyxel | | | | | [Zyxel Security Advisory for Apache Log4j](https://www.zyxel.com/support/Zyxel_security_advisory_for_Apache_Log4j_RCE_vulnerability.shtml) | | | | | Zyxel | | | | | [Zyxel Security Advisory for Apache Log4j](https://www.zyxel.com/support/Zyxel_security_advisory_for_Apache_Log4j_RCE_vulnerability.shtml) | | | |
| Zyxel | Security Firewall/Gateways | ZLD Firmware Security Services, Nebula | Not Affected | N/A | [Zyxel Security Advisory](https://community.zyxel.com/en/discussion/12229/zyxel-security-advisory-for-apache-log4j-rce-vulnerability) | | | 12/14/2021 | | Zyxel | Security Firewall/Gateways | ZLD Firmware Security Services, Nebula | Not Affected | N/A | [Zyxel Security Advisory](https://community.zyxel.com/en/discussion/12229/zyxel-security-advisory-for-apache-log4j-rce-vulnerability) | | | 12/14/2021 |
=======
To view the full list of vendors & software [click here](./SOFTWARE-LIST.md).
>>>>>>> develop

2820
SOFTWARE-LIST.md Normal file

File diff suppressed because it is too large Load diff