Log4shell zero-day vulnerability
The Log4shell Zero-day vulnerability (CVE-2021-44228) was published on 10.12.2021.[1] This vulnerability affects the popular Log4j logging library for Java applications. An IT security service provider reports this vulnerability in log4j, which may allow attackers to execute their own program code on the target system and thus compromise the server.[2] In this article you will find Information about the affected versions of log4j, as well as Notes and links to vendor information.
Information from the BSI on the security vulnerability
The Federal Office for Information Security already has a PDF about this on their website, here is an excerpt:[3]
Affected version
According to the Apache Software Foundation, log4j versions from 2.0-beta9 to 2.14.1 are vulnerable.[4]
Patched version
The Apache Software Foundation has released a patched Log4j version 2.16.0.[4]
Risk rating
The BSI rates the risk posed by the vulnerability at 10 on the so-called CVSS scale, the highest possible value. The authority has therefore raised the IT threat level to warning level 4 / red on Saturday evening, 11.12.2021.
Information from manufacturer
Information about the impact and the updates and configuration adjustments required to close the Log4shell vulnerability can be found on the following websites of the operating system manufacturers. We have already requested statements from various manufacturers regarding the vulnerability. We will continuously add to this list as we receive more information about other affected products.
Manufacturer / Software | Affected by Log4shell | Notes |
---|---|---|
Ubuntu | Yes, Patches for apache-log4j2 available | CVE-2021-44228 |
Debian | Yes, Patches for apache-log4j2 available | CVE-2021-44228 |
RHEL | Yes, Patches available | CVE-2021-44228 |
Univention Corporate Server | Information available | Status of log4j/log4shell Vulnerability CVE-2021-44228 in UCS and Apps |
Intel | Information about Intel Software products available | Intel Product Advisory for Apache Log4j2 Vulnerabilities (CVE-2021-44228 & CVE-2021-45046) |
Microsoft | Information available | Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 |
VMware | Yes, Patches and workarounds partially available | VMSA-2021-0028.1 |
OPNsense | No, not affected according to developers | log4j and OPNsense |
Proxmox | No, not affected according to forum | ProxMox log4j / CVE-2021-44228 |
Synology | No | Synology-SA-21:30 Log4Shell |
Broadcom | No: LSI Storage Authority (LSA), utilizes no Java | Broadcom Response to Log4j Vulnerability |
Yes: MegaRAID Storage Manager from version 17.06.02.01 to version 17.05.04.00 is affected, updates will be released soon. See PDF document from Broadcom: Log4j2 Exposure (CVE-2021-44228) | ||
Sunny Valley | No: ZENARMOUR (Sensei) | Apache Log4j RCE Status Update |
Note on Elasticsearch Backend: "Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager, however we are making a fix available for an information leakage attack also associated with this vulnerability." | ||
Supermicro BIOS und BMC (IPMI) Firmware | No | |
ASUS BMC (IPMI) firmware | The modules ASMB8-10 are not affected, for the older modules we are still waiting for feedback from the manufacturer. | |
Supermicro Management Software | Yes: Supermicro Power Manager (SPM), a new patched version is in development. | |
No: Supermicro Server Manager (SSM), Superdoctor, Supermicro Update Manager (SUM) | ||
Microchip Adaptec | Yes, maxView is affected, Patch available. | Storage Management Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) |
Further affected systems
- Listing of affected manufacturers: Log4jAttackSurface
- Collection of links of affected manufacturers: BlueTeam CheatSheet * Log4Shell*
Further information
- Kritische Zero-Day-Lücke in Log4j gefährdet zahlreiche Server und Apps (heise.de, 10.12.2021)
- Warnstufe Rot: Schwachstelle Log4Shell führt zu extrem kritischer Bedrohungslage (bsi.bund.de, 11.12.2021)
- Warnstufe Rot: Sicherheitslücke gefährdet die IT zahlreicher Unternehmen (handelsblatt.com, 11.12.2021)
References
- ↑ CVE-2021-44228 (nvd.nist.gov)
- ↑ Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package
- ↑ Kritische Schwachstelle in log4j veröffentlicht (CVE-2021-44228) (bsi.bund.de)
- ↑ 4.0 4.1 Apache Log4j Security Vulnerabilities (logging.apache.org)
Author: Niklas Göttl Niklas started his apprenticeship at Thomas-Krenn already in 2017 after successfully finishing school. After successful completion, he now fully supports the technical support to provide customers with quick and competent solutions to problems.
|
Author: Thomas Niedermeier Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.
|