Critical Vulnerabilities in Apache Log4j Java Logging Library On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints On December 14, 2021, the following critical vulnerability, which affects certain Apache Log4j use cases in versions 2.15.0 and earlier, was disclosed: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack On December 18, 2021, a vulnerability in the Apache Log4j component affecting versions 2.16 and earlier was disclosed: CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation On December 28, 2021, a vulnerability in the Apache Log4j component affecting versions 2.17 and earlier was disclosed: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration For a description of these vulnerabilities, see the Apache Log4j Security Vulnerabilities page. Cisco's Response to These Vulnerabilities Cisco assessed all products and services for impact from both CVE-2021-44228 and CVE-2021-45046. To help detect exploitation of these vulnerabilities, Cisco has released Snort rules at the following location: Talos Rules 2021-12-21 Product fixes that are listed in this advisory will address both CVE-2021-44228 and CVE-2021-45046 unless otherwise noted. Cisco has reviewed CVE-2021-45105 and CVE-2021-44832 and has determined that no Cisco products or cloud offerings are impacted by these vulnerabilities. Cisco's standard practice is to update integrated third-party software components to later versions as they become available. This advisory is available at the following link:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
Critical Vulnerabilities in Apache Log4j Java Logging Library
On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed:
On December 14, 2021, the following critical vulnerability, which affects certain Apache Log4j use cases in versions 2.15.0 and earlier, was disclosed:
On December 18, 2021, a vulnerability in the Apache Log4j component affecting versions 2.16 and earlier was disclosed:
On December 28, 2021, a vulnerability in the Apache Log4j component affecting versions 2.17 and earlier was disclosed:
For a description of these vulnerabilities, see the Apache Log4j Security Vulnerabilities page.
Cisco's Response to These Vulnerabilities
Cisco assessed all products and services for impact from both CVE-2021-44228 and CVE-2021-45046. To help detect exploitation of these vulnerabilities, Cisco has released Snort rules at the following location: Talos Rules 2021-12-21
Product fixes that are listed in this advisory will address both CVE-2021-44228 and CVE-2021-45046 unless otherwise noted.
Cisco has reviewed CVE-2021-45105 and CVE-2021-44832 and has determined that no Cisco products or cloud offerings are impacted by these vulnerabilities.
Cisco's standard practice is to update integrated third-party software components to later versions as they become available.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
Cisco investigated its product line to determine which products may be affected by these vulnerabilities.
This advisory only lists Cisco products and services that are known to include the impacted software component and thus may be vulnerable. Products and services that do not contain the impacted software component are not vulnerable and therefore are not listed in this advisory. Any Cisco product or service that is not explicitly listed in the Affected Products section of this advisory is not affected by the vulnerability or vulnerabilities described.
The Vulnerable Products section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.
Cisco investigated its product line to determine which products may be affected by these vulnerabilities.
The following table lists Cisco products that are affected by one or both of the vulnerabilities that are described in this advisory. Customers should refer to the associated Cisco bug(s) for further details.
Product | Cisco Bug ID | Fixed Release Availability |
---|---|---|
Collaboration and Social Media | ||
Cisco Webex Meetings Server | CSCwa47283 | CWMS-3.0MR4SP3 patch (21 Dec 2021) CWMS-4.0MR4SP3 patch (21 Dec 2021) CWMS-3.0MR4SP2 patch (14 Dec 2021) CWMS-4.0MR4SP2 patch (14 Dec 2021) |
Endpoint Clients and Client Software | ||
Cisco CX Cloud Agent Software | CSCwa47272 | 1.12.2 (17 Dec 2021) |
Network Application, Service, and Acceleration | ||
Cisco Call Studio | CSCwa54008 | 11.6(2) (23 Dec 2021) 12.0(1) (23 Dec 2021) 12.5(1) (23 Dec 2021) 12.6(1) (23 Dec 2021) |
Cisco Nexus Insights | CSCwa47284 | 6.0.2 (17 Dec 2021) |
Network and Content Security Devices | ||
Cisco Firepower Threat Defense (FTD) managed by Firepower Device Manager (FDM) | CSCwa46963 | 6.2.3 hotfix (Available) 6.4.0 hotfix (Available) 6.6.5 hotfix (Available) 6.7.0 hotfix (Available) 7.0.1 hotfix (Available) 7.1.0 hotfix (Available) |
Cisco Identity Services Engine (ISE) | CSCwa47133 | 2.4 hotfix (15 Dec 2021) 2.6 hotfix (15 Dec 2021) 2.7 hotfix (15 Dec 2021) 3.0 hotfix (15 Dec 2021) 3.1 hotfix (17 Dec 2021) |
Network Management and Provisioning | ||
Cisco Application Policy Infrastructure Controller (APIC) - Network Insights Base App | CSCwa47295 | 4.2(7r) (Available) 5.2(3g) (Available) |
Cisco Automated Subsea Tuning | CSCwa48806 | 2.1.0.4 (22 Dec 2021) |
Cisco Business Process Automation | CSCwa47269 | 3.0.000.115 (patch) (17 Dec 2021) 3.1.000.044 (patch) (17 Dec 2021) 3.2.000.009 (patch) (17 Dec 2021) |
Cisco CloudCenter Cost Optimizer | CSCwa48074 | 5.5.2 (Available) |
Cisco CloudCenter Suite Admin | CSCwa47349 | 5.3.1 (Available) |
Cisco CloudCenter Workload Manager | CSCwa47350 | 5.5.2 (Available) |
Cisco CloudCenter | CSCwa48832 | 4.10.0.16 (22 Dec 2021) |
Cisco Common Services Platform Collector (CSPC) | CSCwa47271 | 2.10.0.1 hotfix (Available) 2.9.1.3 hotfix (Available) |
Cisco Crosswork Data Gateway | CSCwa47257 | 2.0.2 patch (21 Dec 2021) 3.0.1 patch (21 Dec 2021) |
Cisco Crosswork Network Controller | CSCwa49936 | 2.0.1 patch (22 Dec 2021) 3.0.1 patch (22 Dec 2021) |
Cisco Crosswork Optimization Engine | CSCwa49939 | 2.0.1 patch (21 Dec 2021) 3.0.1 patch (21 Dec 2021) |
Cisco Crosswork Platform Infrastructure | CSCwa47367 | 4.0.1 patch (22 Dec 2021) 4.1.1 patch (22 Dec 2021) |
Cisco Crosswork Situation Manager | CSCwa51878 | 8.0.0.8 patch (21 Dec 2021) |
Cisco Crosswork Zero Touch Provisioning (ZTP) | CSCwa47259 | 2.0.1 patch (21 Dec 2021) 3.0.1 patch (21 Dec 2021) |
Cisco Cyber Vision Sensor Management Extension | CSCwa49482 | 4.0.3 (22 Dec 2021) |
Cisco DNA Spaces Connector | CSCwa47320 | v2.0.588 (Available) v2.2.12 (Available) |
Cisco Data Center Network Manager (DCNM) | CSCwa47291 | 12.0(2f) (Available) 11.5(3) patch (Available) 11.5(2) patch (Available) 11.5(1) patch (Available) 11.4(1) patch (Available) 11.3(1) patch (Available) |
Cisco Evolved Programmable Network Manager | CSCwa47310 | 5.1.3.1 patch (22 Dec 2021) 5.0.2.1 patch (13 Jan 2022) 4.1.1.1 patch (13 Jan 2022) |
Cisco Intersight Virtual Appliance | CSCwa47304 | 1.0.9-361 (20 Dec 2021) |
Cisco Network Services Orchestrator (NSO) | CSCwa47342 | nso-5.3.5.1 (17 Dec 2021) nso-5.4.5.2 (17 Dec 2021) nso-5.5.4.1 (17 Dec 2021) nso-5.6.3.1 (17 Dec 2021) |
Cisco Nexus Dashboard, formerly Cisco Application Services Engine | CSCwa47299 | 2.1.2 (23 Dec 2021) |
Cisco Prime Service Catalog | CSCwa47347 | 12.1 patch (20 Dec 2021) |
Cisco Secure Agile Exchange (SAE) Core Function Pack | CSCwa52921 | 2.4.1 (14 Jan 2022) |
Cisco Smart PHY | CSCwa50021 | 3.1.4 patch (Available) 3.2.0 patch (Available) 3.2.1 patch (Available) 21.3 patch (21 Jan 2022) |
Cisco Virtual Topology System (VTS) | CSCwa47334 | 2.6.7 (22 Dec 2021) |
Cisco Virtualized Infrastructure Manager | CSCwa49924 | 3.2.x patch (17 Dec 2021) 3.4.4 patch (17 Dec 2021) 3.4.6 patch (17 Dec 2021) 4.2.0 patch (17 Dec 2021) 4.2.1 patch (17 Dec 2021) |
Cisco WAN Automation Engine (WAE) | CSCwa47369 | 7.5.0.1 (22 Dec 2021) 7.4.0.1 (28 Jan 2022) 7.3.0.2 (28 Jan 2022) |
Routing and Switching - Enterprise and Service Provider | ||
Cisco DNA Center | CSCwa47322 | 2.2.2.8 patch (Available) 2.1.2.8 patch (Available) 2.2.3.4 patch (Available) |
Cisco IOx Fog Director | CSCwa47370 | 1.14.5 patch (16 Dec 2021) 1.16.4 patch (Available) |
Cisco Network Assurance Engine | CSCwa47285 | 6.0.2 (23 Dec 2021) |
Cisco Network Convergence System 1004 | CSCwa52235 | 7.3.2 SMU/GISO (14 Jan 2022) 7.3.1 SMU (21 Jan 2022) |
Cisco Optical Network Controller | CSCwa48793 | 1.1.0 (22 Dec 2021) |
Cisco SD-WAN vManage | CSCwa47745 | 20.3.4.1 (Available) 20.6.2.1 (Available) 20.5.1.1 (Available) 20.4.2.1 (Available) |
Unified Computing | ||
Cisco Integrated Management Controller (IMC) Supervisor | CSCwa47307 | 2.3.2.1 (23 Dec 2021) |
Cisco UCS Central Software | CSCwa47303 | 2.0(1p) (22 Dec 2021) |
Cisco UCS Director | CSCwa47288 | 6.8.2.0 (23 Dec 2021) |
Cisco Workload Optimization Manager | CSCwa50220 | 3.2.1 patch (Available) |
Voice and Unified Communications Devices | ||
Cisco BroadWorks | CSCwa47315 | 2021.11_1.162 (13 Dec 2021) ap381882 (15 Dec 2021) |
Cisco Cloud Connect | CSCwa51545 | 12.6(1) (Available) |
Cisco Contact Center Domain Manager (CCDM) | CSCwa47383 | 12.5(1) ES6 (Available) 12.6(1) ES3 (Available) |
Cisco Contact Center Management Portal (CCMP) | CSCwa47383 | 12.5(1) ES6 (Available) 12.6(1) ES3 (Available) |
Cisco Emergency Responder | CSCwa47391 | 11.5(4)SU9 patch (16 Dec 2021) 11.5(4)SU10 patch (16 Dec 2021) |
Cisco Enterprise Chat and Email | CSCwa47392 | 12.0(1) patch (Available) 12.5 (1) patch (Available) 12.6(1) patch (Available) |
Cisco Finesse | CSCwa46459 | 12.6(1)ES03 (23 Dec 2021) |
Cisco Packaged Contact Center Enterprise | CSCwa47274 | 11.6(2) (Available) 12.0(1) (Available) 12.5(1) (Available) 12.6(1) (Available) |
Cisco Paging Server | CSCwa47395 | 14.4.2 (21 Dec 2021) |
Cisco Unified Communications Manager / Cisco Unified Communications Manager Session Management Edition | CSCwa47249 | 11.5(1)SU7 patch (16 Dec 2021) 11.5(1)SU8 patch (16 Dec 2021) 11.5(1)SU9 patch (16 Dec 2021) 11.5(1)SU10 patch (16 Dec 2021) 11.5(1.18119-2) through 11.5(1.23162-1) patch (16 Dec 2021) |
Cisco Unified Communications Manager IM &Presence Service | CSCwa47393 | 11.5(1)SU7 patch (16 Dec 2021) 11.5(1)SU8 patch (16 Dec 2021) 11.5(1)SU9 patch (16 Dec 2021) 11.5(1)SU10 patch (16 Dec 2021) 11.5(1.18900-16) patch (16 Dec 2021) 11.5(1.18901-3) patch (16 Dec 2021) |
Cisco Unified Contact Center Enterprise - Live Data server | CSCwa46810 | 11.6(1)ES23 (23 Dec 2021) 12.0(1)ES18 (23 Dec 2021) 12.5(1)ES13 (23 Dec 2021) 12.6(1)ES03 (23 Dec 2021) |
Cisco Unified Contact Center Enterprise | CSCwa47273 | 11.6(2) (Available) 12.0(1) (Available) 12.5(1) (Available) 12.6(1) (Available) |
Cisco Unified Contact Center Express | CSCwa47388 | 12.5(1)SU1 (23 Dec 2021) |
Cisco Unified Customer Voice Portal | CSCwa47275 | 11.6(2) (Available) 12.0(1) (Available) 12.5(1) (Available) 12.6(1) (23 Dec 2021) |
Cisco Unified Intelligence Center | CSCwa46525 | 12.6(1) (23 Dec 2021) |
Cisco Unified SIP Proxy Software | CSCwa47265 | 10.2.1v2 patch (23 Dec 2021) |
Cisco Unity Connection | CSCwa47387 | 11.5(1)SU7 patch (16 Dec 2021) 11.5(1)SU8 patch (16 Dec 2021) 11.5(1)SU9 patch (16 Dec 2021) 11.5(1)SU10 patch (16 Dec 2021) 11.5(1.18119-2) through 11.5(1.23162-1) patch (16 Dec 2021) |
Cisco Virtualized Voice Browser | CSCwa47397 | 12.5(1) (Available) 12.6(1) (23 Dec 2021) |
Cisco Webex Workforce Optimization | CSCwa51476 | Product is End of Software Maintenance - No Fixes Planned |
Video, Streaming, TelePresence, and Transcoding Devices | ||
Cisco Video Surveillance Operations Manager | CSCwa47360 | 7.14.4 patch (Available) |
Cisco Vision Dynamic Signage Director | CSCwa47351 | Contact Cisco TAC for a patch 6.4 SP3 (17 Jan 2021) |
Wireless | ||
Cisco Connected Mobile Experiences (CMX) | CSCwa47312 | 10.6.3-70 patch (Available) 10.6.3-105 patch (Available) 10.6.2-89 patch (Available) 10.4.1 patch (Available) |
Cisco investigated its product line to determine which products may be affected by these vulnerabilities.
Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable.
Cisco has confirmed that these vulnerabilities do not affect the following Cisco products:
Cable Devices
Collaboration and Social Media
Endpoint Clients and Client Software
Meraki Products
Network Application, Service, and Acceleration
Network and Content Security Devices
Network Management and Provisioning
Routing and Switching - Enterprise and Service Provider
Routing and Switching - Small Business
Unified Computing
Voice and Unified Communications Devices
Video, Streaming, TelePresence, and Transcoding Devices
Wireless
Cisco investigated its cloud offerings to determine which products may be affected by these vulnerabilities. The following table lists Cisco cloud offerings that were part of this investigation.
Product | CVE-2021-44228 | CVE-2021-45046 |
---|---|---|
AppDynamics | Remediated - service-specific details | Remediated - service-specific details |
AppDynamics with Cisco Secure Application | Remediated - service-specific details | Remediated - service-specific details |
Cisco Cloud Email Security | Not vulnerable | Not vulnerable |
Cisco Cloudlock | Remediated | Remediated |
Cisco Cloudlock for Government | Remediated | Remediated |
Cisco Cognitive Intelligence | Not vulnerable | Not vulnerable |
Cisco Collaboration Experience Service (CES) | Not vulnerable | Not vulnerable |
Cisco Collaboration Experience Service Management (CESM) | Not vulnerable | Not vulnerable |
Cisco Crosswork Cloud | Not vulnerable | Not vulnerable |
Cisco CX Cloud | Remediated | Remediated |
Cisco Defense Orchestrator | Not vulnerable | Not vulnerable |
Cisco DNA Spaces | Remediated | Remediated |
Cisco Intersight | Remediated | Remediated |
Cisco IoT Control Center | Remediated | Remediated |
Cisco IoT Operations Dashboard | Remediated | Remediated |
Cisco Kinetic for Cities | Remediated | Remediated |
Cisco Kinetic Gateway Management Module | Remediated | Remediated |
Cisco Managed Services Accelerator (MSX) | Remediated | Remediated |
Cisco Placetel | Not vulnerable | Not vulnerable |
Cisco PX Cloud | Remediated | Remediated |
Cisco SD-WAN Cloud | Remediated | Remediated |
Cisco SD-WAN vAnalytics | Not vulnerable | Not vulnerable |
Cisco Secure Application (integrated with AppDynamics) | Not vulnerable | Not vulnerable |
Cisco Secure Cloud Analytics, formerly Cisco Stealthwatch Cloud | Not vulnerable | Not vulnerable |
Cisco Secure Cloud Insights | Not vulnerable | Not vulnerable |
Cisco Secure Email Cloud Mailbox, formerly Cisco Cloud Mailbox Defense | Not vulnerable | Not vulnerable |
Cisco Secure Email Encryption Service, formerly Cisco Registered Envelope Service | Not vulnerable | Not vulnerable |
Cisco Secure Endpoint, formerly Cisco Advanced Malware Protection for Endpoints | Not vulnerable | Not vulnerable |
Cisco Secure Malware Analytics, formerly Cisco Threat Grid | Not vulnerable | Not vulnerable |
Cisco SecureX | Not vulnerable | Not vulnerable |
Cisco ServiceGrid | Not vulnerable | Not vulnerable |
Cisco Smart Net Total Care | Remediated | Remediated |
Cisco Umbrella DNS | Remediated | Remediated |
Cisco Umbrella SIG | Remediated | Remediated |
Cisco Unified Communications Management Cloud - UC Management | Remediated | Remediated |
Cisco Unified Communications Manager Cloud Commercial | Remediated | Remediated |
Cisco Unified Communications Manager Cloud for Government | Remediated | Remediated |
Cisco Webex Calling | Remediated | Remediated |
Cisco Webex Calling Carrier | Remediated | Remediated |
Cisco Webex Cloud Registered Endpoints | Not vulnerable | Not vulnerable |
Cisco Webex Cloud-Connected UC | Remediated | Remediated |
Cisco Webex Contact Center | Remediated | Remediated |
Cisco Webex Contact Center Enterprise | Remediated | Remediated |
Cisco Webex Control Hub | Remediated | Remediated |
Cisco Webex Experience Management | Not vulnerable | Not vulnerable |
Cisco Webex FedRAMP | Remediated | Remediated |
Cisco Webex for Government FedRAMP | Remediated | Remediated |
Cisco Webex Meetings | Remediated | Remediated |
Cisco Webex Meetings Slow Channel | Remediated | Remediated |
Cisco Webex Messaging | Remediated | Remediated |
Cisco Webex Site Admin webpage | Remediated | Remediated |
Duo Security | Remediated | Remediated |
Duo Security for Government | Remediated | Remediated |
eSIM Flex | Remediated | Remediated |
IMIassist | Not vulnerable | Not vulnerable |
IMIcampaign | Not vulnerable | Not vulnerable |
IMIconnect | Remediated | Remediated |
IMIengage | Not vulnerable | Not vulnerable |
IMImessenger/TextLocal Messenger | Not vulnerable | Not vulnerable |
IMImobile - Webex Contact Center Integration | Remediated | Remediated |
IMInotify | Not vulnerable | Not vulnerable |
IMIsocial | Not vulnerable | Not vulnerable |
Kenna.AppSec | Remediated | Remediated |
Kenna.VI/VI+ | Remediated | Remediated |
Kenna.VM | Remediated | Remediated |
Meraki | Not vulnerable | Not vulnerable |
Partner Supporting Service(PSS) | Remediated | Remediated |
Slido | Not vulnerable | Not vulnerable |
Smart Call Home(SCH) | Remediated | Remediated |
Socio | Not vulnerable | Not vulnerable |
ThousandEyes | Remediated | Remediated |
UC-One - UMS | Not vulnerable | Not vulnerable |
Any workarounds are documented in the product-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory.
For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities described in this advisory.
These vulnerabilities were disclosed by the Apache Software Foundation.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.32 | Updated vulnerable products. | Affected Products | Final | 2022-JAN-31 |
1.31 | Updated products confirmed not vulnerable. | Affected Products | Interim | 2022-JAN-11 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.