From 9446afc7c0cbe015ed0daf413d4eb19096b643eb Mon Sep 17 00:00:00 2001 From: Mikey <0xmachos@gmail.com> Date: Wed, 15 Dec 2021 14:17:10 +0000 Subject: [PATCH 1/6] Add Jamf (Jamf Pro) entry --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2235165..ca8cc4e 100644 --- a/README.md +++ b/README.md @@ -373,6 +373,7 @@ This list was initially populated using information from the following sources: | Jenkins | CI/CD Core | | Not Affected | | | | | | | Jenkins | Plugins | | Unkown | | | Need to audit plugins for use of log4j | | | | Jetbrains | | | Affected | Yes | [https://www.jetbrains.com/help/license\_server/release\_notes.html](https://www.jetbrains.com/help/license_server/release_notes.html) | | | | +| Jamf | Jamf Pro | 10.31.0 – 10.34.0 | Affected | Yes | [Mitigating the Apache Log4j 2 Vulnerability](https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html) | McAfee | ePolicy Orchestrator Agent Handlers (ePO-AH) | | Not Affected | | | | | | | McAfee | Data Exchange Layer (DXL) | | Under Investigation | | | | | | | McAfee | Enterprise Security Manager (ESM) | | Under Investigation | | | | | | From 915fc174f72b4d692a5eab211214c3730bd252eb Mon Sep 17 00:00:00 2001 From: brolly33 <77168864+john-talbert@users.noreply.github.com> Date: Wed, 15 Dec 2021 13:13:29 -0500 Subject: [PATCH 2/6] Added HCL BigFix entries HCL BigFix entries added for Fixed and Not Affected modules. --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 9b07cb1..c4e2f9d 100644 --- a/README.md +++ b/README.md @@ -370,6 +370,13 @@ This list was initially populated using information from the following sources: | Gradle | Gradle Enterprise | < 2021.3.6 | Affected | Yes | [Gradle Enterprise Security Advisories - Remote code execution vulnerability due to use of Log4j2](https://security.gradle.com/advisory/2021-11) | | | | | Gradle | Gradle Enterprise Test Distribution Agent | < 1.6.2 | Affected | Yes | [Gradle Enterprise Security Advisories - Remote code execution vulnerability due to use of Log4j2](https://security.gradle.com/advisory/2021-11) | | | | | Gradle | Gradle Enterprise Build Cache Node | < 10.1 | Affected | Yes | [Gradle Enterprise Security Advisories - Remote code execution vulnerability due to use of Log4j2](https://security.gradle.com/advisory/2021-11) | | | | +| HCL Software | BigFix Insights | All | Not Affected | [KB](https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486) | | Not Affected for related CVE-2021-45046 | | | 12/15/2021 | +| HCL Software | BigFix Insights for Vulnerability Remediation | All | Not Affected | [KB](https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486) | | Not Affected for related CVE-2021-45046 | | | 12/15/2021 | +| HCL Software | BigFix Compliance | 2.0.1 - 2.0.4 | Fixed | [KB with fix](https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486) | | Not Affected for related CVE-2021-45046 | [Forum post with more specifics](https://forum.bigfix.com/t/bigfix-compliance-has-a-remediation-for-log4j-vulnerability-cve-2021-44228/40197) | | 12/15/2021 | +| HCL Software | BigFix Inventory | < 10.0.7 | Fixed | [KB with fix](https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486) | | Not Affected for related CVE-2021-45046 | | | 12/15/2021 | +| HCL Software | BigFix Lifecycle | All | Not Affected | [KB](https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486) | | Not Affected for related CVE-2021-45046 | | | 12/15/2021 | +| HCL Software | BigFix Mobile | All | Not Affected | [KB](https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486) | | Not Affected for related CVE-2021-45046 | | | 12/15/2021 | +| HCL Software | BigFix Patch | All | Not Affected | [KB](https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486) | | Not Affected for related CVE-2021-45046 | | | 12/15/2021 | | IBM | BigFix Compliance | | Affected | No | | | | | | IBM | BigFix Inventory | VM Manager Tool & SAP Tool | Affected | No | | To verify if your instance is affected, go to the lib subdirectory of the tool (BESClient/LMT/SAPTOOL and BESClient/LMT/VMMAN) and check what version of log4j is included. Version is included in the name of the library. | | | | IBM | Server Automation | | Affected | No | | | | | From 248c7449bcdb4aeee1703e554564e75a9a8d38a7 Mon Sep 17 00:00:00 2001 From: Jamie Finnigan Date: Wed, 15 Dec 2021 12:37:50 -0800 Subject: [PATCH 3/6] add HashiCorp products --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 04c5b47..e782ab0 100644 --- a/README.md +++ b/README.md @@ -379,6 +379,18 @@ This list was initially populated using information from the following sources: | Gradle | Gradle Enterprise | < 2021.3.6 | Affected | Yes | [Gradle Enterprise Security Advisories - Remote code execution vulnerability due to use of Log4j2](https://security.gradle.com/advisory/2021-11) | | | | | Gradle | Gradle Enterprise Test Distribution Agent | < 1.6.2 | Affected | Yes | [Gradle Enterprise Security Advisories - Remote code execution vulnerability due to use of Log4j2](https://security.gradle.com/advisory/2021-11) | | | | | Gradle | Gradle Enterprise Build Cache Node | < 10.1 | Affected | Yes | [Gradle Enterprise Security Advisories - Remote code execution vulnerability due to use of Log4j2](https://security.gradle.com/advisory/2021-11) | | | | +| HashiCorp | Boundary | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Consul | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Consul Enterprise | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Nomad | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Nomad Enterprise | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Packer | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Terraform | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Terraform Enterprise | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Waypoint | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Vagrant | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Vault | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Vault Enterprise | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | | IBM | BigFix Compliance | | Affected | No | | | | | | IBM | BigFix Inventory | VM Manager Tool & SAP Tool | Affected | No | | To verify if your instance is affected, go to the lib subdirectory of the tool (BESClient/LMT/SAPTOOL and BESClient/LMT/VMMAN) and check what version of log4j is included. Version is included in the name of the library. | | | | IBM | Server Automation | | Affected | No | | | | | From 709b8dbff9ab1d6760f5175a514826d1d2a25907 Mon Sep 17 00:00:00 2001 From: Jamie Finnigan Date: Wed, 15 Dec 2021 12:44:07 -0800 Subject: [PATCH 4/6] clean up URL markdown formatting --- README.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index e782ab0..dc26fdc 100644 --- a/README.md +++ b/README.md @@ -379,18 +379,18 @@ This list was initially populated using information from the following sources: | Gradle | Gradle Enterprise | < 2021.3.6 | Affected | Yes | [Gradle Enterprise Security Advisories - Remote code execution vulnerability due to use of Log4j2](https://security.gradle.com/advisory/2021-11) | | | | | Gradle | Gradle Enterprise Test Distribution Agent | < 1.6.2 | Affected | Yes | [Gradle Enterprise Security Advisories - Remote code execution vulnerability due to use of Log4j2](https://security.gradle.com/advisory/2021-11) | | | | | Gradle | Gradle Enterprise Build Cache Node | < 10.1 | Affected | Yes | [Gradle Enterprise Security Advisories - Remote code execution vulnerability due to use of Log4j2](https://security.gradle.com/advisory/2021-11) | | | | -| HashiCorp | Boundary | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | -| HashiCorp | Consul | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | -| HashiCorp | Consul Enterprise | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | -| HashiCorp | Nomad | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | -| HashiCorp | Nomad Enterprise | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | -| HashiCorp | Packer | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | -| HashiCorp | Terraform | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | -| HashiCorp | Terraform Enterprise | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | -| HashiCorp | Waypoint | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | -| HashiCorp | Vagrant | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | -| HashiCorp | Vault | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | -| HashiCorp | Vault Enterprise | | Not Affected | | https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228/ | | | | +| HashiCorp | Boundary | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Consul | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Consul Enterprise | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Nomad | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Nomad Enterprise | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Packer | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Terraform | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Terraform Enterprise | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Waypoint | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Vagrant | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Vault | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Vault Enterprise | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | | IBM | BigFix Compliance | | Affected | No | | | | | | IBM | BigFix Inventory | VM Manager Tool & SAP Tool | Affected | No | | To verify if your instance is affected, go to the lib subdirectory of the tool (BESClient/LMT/SAPTOOL and BESClient/LMT/VMMAN) and check what version of log4j is included. Version is included in the name of the library. | | | | IBM | Server Automation | | Affected | No | | | | | From b96939d95eeb14f5317c83b767c9d5090d1d9ce5 Mon Sep 17 00:00:00 2001 From: Jamie Finnigan Date: Wed, 15 Dec 2021 12:45:35 -0800 Subject: [PATCH 5/6] fix product ordering --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index dc26fdc..5e9666b 100644 --- a/README.md +++ b/README.md @@ -387,10 +387,10 @@ This list was initially populated using information from the following sources: | HashiCorp | Packer | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | | HashiCorp | Terraform | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | | HashiCorp | Terraform Enterprise | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | -| HashiCorp | Waypoint | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | | HashiCorp | Vagrant | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | | HashiCorp | Vault | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | | HashiCorp | Vault Enterprise | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | +| HashiCorp | Waypoint | | Not Affected | | [HashiCorp security bulletin re. CVE-2021-44228](https://discuss.hashicorp.com/t/hcsec-2021-32-hashicorp-response-to-apache-log4j-2-security-issue-cve-2021-44228) | | | | | IBM | BigFix Compliance | | Affected | No | | | | | | IBM | BigFix Inventory | VM Manager Tool & SAP Tool | Affected | No | | To verify if your instance is affected, go to the lib subdirectory of the tool (BESClient/LMT/SAPTOOL and BESClient/LMT/VMMAN) and check what version of log4j is included. Version is included in the name of the library. | | | | IBM | Server Automation | | Affected | No | | | | | From ec1e5354bd52cb98d33a27f2fb78a88bfb6ce38c Mon Sep 17 00:00:00 2001 From: Lcerkov <96153185+Lcerkov@users.noreply.github.com> Date: Thu, 16 Dec 2021 18:05:08 -0500 Subject: [PATCH 6/6] Add RTI --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index a033211..5cd843c 100644 --- a/README.md +++ b/README.md @@ -903,6 +903,14 @@ This list was initially populated using information from the following sources: | Rapid7 | Metasploit Framework| on-prem | Not Affected | | [Rapid7 Statement](https://www.rapid7.com/blog/post/2021/12/14/update-on-log4shells-impact-on-rapid7-solutions-and-systems/?mkt_tok=NDExLU5BSy05NzAAAAGBVaccW1DOLSfEsfTNwEJksv_1nK1muJSFze-Lle90mKtAO78nSdjwPdzqXskNIi9qZCAGQODD42mYRK4YPlQkjhn38E27HQxFHdHAkypEOsh8) ||| 12/15/2021| | Rapid7 | tCell Java Agent| on-prem | Not Affected | | [Rapid7 Statement](https://www.rapid7.com/blog/post/2021/12/14/update-on-log4shells-impact-on-rapid7-solutions-and-systems/?mkt_tok=NDExLU5BSy05NzAAAAGBVaccW1DOLSfEsfTNwEJksv_1nK1muJSFze-Lle90mKtAO78nSdjwPdzqXskNIi9qZCAGQODD42mYRK4YPlQkjhn38E27HQxFHdHAkypEOsh8) ||| 12/15/2021| | Rapid7 | Velociraptor| on-prem | Not Affected | | [Rapid7 Statement](https://www.rapid7.com/blog/post/2021/12/14/update-on-log4shells-impact-on-rapid7-solutions-and-systems/?mkt_tok=NDExLU5BSy05NzAAAAGBVaccW1DOLSfEsfTNwEJksv_1nK1muJSFze-Lle90mKtAO78nSdjwPdzqXskNIi9qZCAGQODD42mYRK4YPlQkjhn38E27HQxFHdHAkypEOsh8) ||| 12/15/2021| +| Real-Time Innovations (RTI) | RTI Administration Console | | Not Affected | |[RTI Statement](https://community.rti.com/kb/apache-log4j-vulnerability-cve-2021-44228cve-2021-45046-impact-rti-connext-products) | | |12/16/2021 | +| Real-Time Innovations (RTI) | RTI Monitor | | Not Affected | |[RTI Statement](https://community.rti.com/kb/apache-log4j-vulnerability-cve-2021-44228cve-2021-45046-impact-rti-connext-products) | | |12/16/2021 | +| Real-Time Innovations (RTI) | RTI Code Generator | | Not Affected | |[RTI Statement](https://community.rti.com/kb/apache-log4j-vulnerability-cve-2021-44228cve-2021-45046-impact-rti-connext-products) | | |12/16/2021 | +| Real-Time Innovations (RTI) | RTI Code Generator Server| | Not Affected | |[RTI Statement](https://community.rti.com/kb/apache-log4j-vulnerability-cve-2021-44228cve-2021-45046-impact-rti-connext-products) | | |12/16/2021 | +| Real-Time Innovations (RTI) | Recording Console | | Not Affected | |[RTI Statement](https://community.rti.com/kb/apache-log4j-vulnerability-cve-2021-44228cve-2021-45046-impact-rti-connext-products) | | |12/16/2021 | +| Real-Time Innovations (RTI) | Distributed Logger| | Not Affected | |[RTI Statement](https://community.rti.com/kb/apache-log4j-vulnerability-cve-2021-44228cve-2021-45046-impact-rti-connext-products) | | |12/16/2021 | +| Real-Time Innovations (RTI) | RTI Micro Application Generator (MAG)| as part of RTI Connext Professional 6.0.0 and 6.0.1| Affected | |[RTI Statement](https://community.rti.com/kb/apache-log4j-vulnerability-cve-2021-44228cve-2021-45046-impact-rti-connext-products) | | |12/16/2021 | +| Real-Time Innovations (RTI) | RTI Micro Application Generator (MAG)| as part of RTI Connext Micro 3.0.0, 3.0.1, 3.0.2, 3.0.3 | Affected | |[RTI Statement](https://community.rti.com/kb/apache-log4j-vulnerability-cve-2021-44228cve-2021-45046-impact-rti-connext-products) | | |12/16/2021 | | Red Hat build of Quarkus | log4j-core low | | Affected | No | [CVE-2021-44228- Red Hat Customer Portal](https://access.redhat.com/security/cve/cve-2021-44228) | | | | | Red Hat CodeReady Studio 12 | log4j-core | | Affected | No | [CVE-2021-44228- Red Hat Customer Portal](https://access.redhat.com/security/cve/cve-2021-44228) | | | | | Red Hat Data Grid 8 | log4j-core | | Affected | No | [CVE-2021-44228- Red Hat Customer Portal](https://access.redhat.com/security/cve/cve-2021-44228) | | | |