yfrytchsgd / log4jattacksurface Goto Github PK

Would this be something to link to for a more complete picture?
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

Here is a bash script to automatically check against this list & more
https://gist.github.com/Mwni/422434d479b7e4410e2ca7405ddc0369

Vendor confirms product to be unaffected as of this time

https://security.paloaltonetworks.com/CVE-2021-44228

Hi,

I want to offer collaboration on this matter. I have created a small website where findings can be added and voted on:
log4j.mwni.io

Perhaps we can sync up the lists?

Fortinet
https://www.fortiguard.com/psirt/FG-IR-21-245

Source:

https://community.ui.com/releases/UniFi-Network-Application-6-5-54/d717f241-48bb-4979-8b10-99db36ddabe1

https://proofpointcommunities.force.com/community/s/article/Status-of-Proofpoint-Products-with-CVE-2021-44228
Status of Proofpoint Products with CVE-2021-44228.pdf

Papercut MF - Print Management software

https://www.papercut.com/kb/Main/Log4Shell-CVE-2021-44228

Mitigation steps:
Windows:

• Stop the PaperCut application server (or Site Server).
  

• Navigate to the /server/bin/win folder.
  

• Open the service.conf file in that folder for editing (you will need to open it as Administrator).
  

• Find the line that looks like this: wrapper.java.additional.21=-Dpc-reserved=X
  

• Replace it with this: wrapper.java.additional.21=-Dlog4j2.formatMsgNoLookups=true
  

• Save the file.
  

• Start the PaperCut application server (or Site Server). 
  

macOS:

• Stop the PaperCut application server (or Site Server).
  

• Navigate to the /server/custom folder.
  

• Open the launch-app-server.conf file for editing.
  

• Add the following line to the end of the file: PC_CUSTOM_SERVER_ARG=-Dlog4j2.formatMsgNoLookups=true
  

• Save the file.
  

• Start the PaperCut application server (or Site Server). 
  

Linux:

• Stop the PaperCut application server.
  

• Navigate to the /server/bin/linux-x64 folder (or the linux-i686 or linux-common folder, depending on distro).
  

• Open the app-monitor.conf file in that folder for editing.
  

• Find the line that looks like this: wrapper.java.additional.21=-Dpc-reserved=X
  

• Replace it with this: wrapper.java.additional.21=-Dlog4j2.formatMsgNoLookups=true
  

• Save the file.
  

• Start the PaperCut application server. 
  

faq-security-advisory-id-20211213-v1.0.txt

They contain log4j 2.11.1

According to the provided link, PulseSecure is not affected. Why is it marked as TRUE?

I know FreeIPA runs Tomcat which I believe is vulnerable. I haven't been able to reproduce the vulnerability by injecting headers or POST data, but am curious if anyone has been able to confirm one way or another if FreeIPA is vulnerable or not.

https://access.redhat.com/security/vulnerabilities/RHSB-2021-009

https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Can someone please add:

ViewPoint Spectrum (confirmed vulnerable)
SysAid (confirmed Vulnerable)

https://docs.vmware.com/en/VMware-Workspace-ONE-Access/3.3/3-3-5-upgrade-guide/GUID-8D0DE628-031C-412D-9BBC-EF795F37A069.html

The Opensource IAM Keycloak does not seem to be affected by the log4j vulnerability.

If you check the pom.xml of the Core Build it states org.jboss.logging is used for logging.

Source:
https://mvnrepository.com/artifact/org.jboss.logging/jboss-logging

Hi there,

thanks a lot for providing the information in here.

Maybe I misunderstood something, but I think the table in the ReadMe might benefit highly from another column "Vulnerable: YES / NO".
At first look it seemed that PulseSecure was affected because the list said "VERIFIED: YES". However upon clicking the link to PulseSecure and checking the Post at PulseSecure, it turns out the verification resulted in all components not being vulnerable.

What do you think?

Kind regards,
Florian

Per Tenable, Spark and Tomcat may be impacted
https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerability

• Fusion Middleware https://docs.oracle.com/cd/E29542_01/doc.1111/e35342/file_log4j_properties.htm#WBCSP241

• weblogic https://docs.oracle.com/cd/E17904_01/web.1111/e13739/config_logs.htm#WLLOG138

probably more products as well

Hi, I realized the evidence posted claiming that elasticsearch is vulnerable (even though elastic claimed otherwise) is not an ElasticSearch instance but rather the elastic.co website. Could you please revise it to confirm? Thanks.

@cckuailong 别tm瞎提交

https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/

The Jenkins security team has confirmed that Log4j is not used in Jenkins core. Jenkins plugins may be using Log4j. 

Atlassian Jira Server + Data center
Atlassian Confluence Server + Data Center

are also affected

https://www.pascom.net/forum/t/official-information-on-log4j-security-vulnerability/9503

As more and more vendors are publishing security advisories about their products, would it makes sense to add an "affected" column?
This "verified" column is only there to verify if the product is effectively affected with evidence. Implying non-affected solutions should be removed from the list or are simply not listed.
It could be still great to list non-affected products with a verified statement.
What you think?

https://blog.cloudflare.com/how-cloudflare-security-responded-to-log4j2-vulnerability/

• possibly https://blogs.sap.com/2019/09/10/efficient-log-management-for-java-applications-on-cloud-foundry-using-application-logging-and-elk-stack/
• found a hanfull of infos that log4j is included,

I guess google is logging text messages?! I just tried it and I see google IPs

The screenshot that is claimed as evidence originates from a tweet that was posted as a joke. Additionally, Blender neither uses Java nor does it open any connections to the internet by default.

https://twitter.com/chfourchfour/status/1469412054549286928

Discord confirms they use elasticsearch here.

Discord uses a middleman to ship logs to elasticsearch through Punt, listed here: https://github.com/discord/punt/

latest release 2.2.5 is affected

Customer managed Orchestrator and legacy GMS products are affected

https://www.arubanetworks.com/website/techdocs/sdwan/docs/advisories/media/security_advisory_notice_apache_log4j2_cve_2021_44228.pdf

Corrective Actions:

1. SSH to the Orchestrator virtual machine and log in as the admin user.
2. Change to the /home/gms/gms directory.
3. Open the file named “gmsserver” for editing.
4. Locate the line that starts with: exec $JAVA_HOME/bin/java
5. Add the text below just before com.silverpeak.gms.server.VistaPointServer

-Dlog4j.formatMsgNoLookups=true

6. Save and Reboot

should be clear over the weekend
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

https://www.dell.com/support/search/en-us#q=log4j&sort=date%20descending

Wyse
SupportAssist Enterprise
EMC Data Protection Manager