Log4j vulnerability (last update: 17-12)


The world has been shaken up by a serious leak in an open source product from the Apache Foundation. The component in question is called Log4j. The leak makes many systems worldwide vulnerable to abuse by cybercriminals. The problem with Log4j is that it is integrated into a lot of software. This makes analysis and resolution complex. 
 
Here we provide an overview of our products and vendors, to what extent they have been affected by the leak and what solution they propose. In many cases a solution or workaround is available.

Of course we can support you in resolving the vulnerability and implementing this solution. If you want our support, you can use the usual support channels, but we would advise you to give us a call. If desired, we can go through the manufacturer's proposed solution for each product with you.

 

General

The vulnerability was published on December 9, 2021 and is formally called "CVE-2021-44228 vulnerability". The vulnerability is in versions lower than 2.15.0 of Apache Log4j (2.14.1 and lower). The vulnerability is also referred to as Log4Shell or LogJam.

A word of caution when troubleshooting the issue: follow the manufacturer's or Apache Foundation's instructions. Downloading and implementing solution found elsewhere may not solve the problems and may even lead to greater damage.

References:

Log4j – Apache Log4j Security Vulnerabilities

CVE - CVE-2021-44228 (mitre.org)

 

Updates

2021-12-15: A second vulnerability has been found in the same components. This one is known by attribute CVE-2021-45046. It is a result of an incomplete fix of the initial vulnerability.

2021-12-17: Updates from ManageEngine. Links are updated to most recent info. 

2021-12-20: Apache releases a third patch (Log4j 2.17.0) in order to fix the vulnerability. 

 

Kaspersky

NONE of Kaspersky's products contain this vulnerability

Referentie: CVE-2021-44228 vulnerability in Apache Log4j library | Securelist

 

KnowBe4

KnowBe4 indicates that it does not use the Log4j components.

 

Thales

Some versions of Sentinel product line may contain the vulnerability. On this page, Thales provides an update on the status.

Reference: Knowledge Article View - Thales Customer Support (thalesgroup.com)

 

Fortinet

A few of Fortinet's products contain the mentioned vulnerability. On the site of Fortinet there is an overview (link).

Reference: CVE-2021-44228 — Apache Log4j Vulnerability | Fortinet

 

Forcepoint

Some of Forcepoint's products use the Log4j components and are therefore potentially vulnerable.

All of Forcepoint's products not listed are safe because they do not use Java or a safe version of Log4j.

Forcepoint recommends performing the suggested remedial actions as soon as possible.

Forcepoint DLP

Forcepoint DLP uses Log4j and needs to be repaired.

CVE-2021-44228 Java log4j vulnerability mitigation with Forcepoint DLP

Forcepoint Security Manager (Web, email en DLP)

CVE-2021-44228 Java log4j vulnerability mitigation with Forcepoint Security Manager

 

ManageEngine

ManageEngine indicates that their products do not directly use Log4j for logging. However, a number of ME products do use additional third-party components that may use Log4j and thus introduce a vulnerability.


The ManageEngine products that may contain Log4j are:

Product name

Jar version in bundled dependency

ADManager Plus

V2.11.1

ADAudit Plus

V2.10.0

DataSecurity Plus

V2.10.0

EventLog Analyzer

V2.9.1

M365 Manager Plus

V2.11.1

RecoveryManager Plus

V2.11.1

Exchange Reporter Plus

V2.11.1

Log360

V2.9.1

Log360 UEBA

V2.11.1

Cloud Security Plus

V2.9.1

M365 Security Plus

V2.11.1

Analytics Plus

V2.7

 

ME products not listed above do NOT contain the vulnerability.

For each product, which may use the Log4j component through third parties, ME provides a solution.

ADAudit Plus

Steps to protect ADAudit Plus from Log4j vulnerabilities (CVE-2021-45046 and CVE-2021-44228) (manageengine.com)

ADManager Plus

Update 2 about Apache Log4j vulnerabilities (CVE-2021-45046 and CVE-2021-44228): Steps to protect ADManager Plus (manageengine.com)

Analytics Plus

Update on the recent Apache Log4j2 vulnerabilities - Impact on ManageEngine Analytics Plus

Cloud Security Plus

Steps to protect Cloud Security Plus from Log4j vulnerabilities (CVE-2021-45046 and CVE-2021-44228) (manageengine.com)

DataSecurity Plus

Vulnerability news update - Data Security Plus (manageengine.com)

EventLog Analyzer

Fixing Log4j CVE-2021-44228 Vulnerability In EventLog Analyzer (manageengine.com)

Exchange Reporter Plus

Precautionary steps to take against Log4j vulnerability (manageengine.com)

Log360

Steps to protect Log360 from Log4j Vulnerabilities (manageengine.com)

Log360 UEBA

Precautionary steps to protect Log360 UEBA from Log4j vulnerabilities CVE-2021-45046 and CVE-2021-44228 (manageengine.com)

M365 Manager Plus

[Update] Precautionary steps to protect M365 Manager Plus from Log4j vulnerability (CVE-2021-44228 and CVE-2021-45046) (manageengine.com)

M365 Security Plus

[Update] Precautionary steps to protect M365 Security Plus from Log4j vulnerability (CVE-2021-44228 and CVE-2021-45046) (manageengine.com)

RecoveryManager Plus

[Update] Precautionary steps to protect RecoveryManager Plus from Log4j vulnerabilities (CVE-2021-44228) and (CVE-2021-45046) (manageengine.com)

 

Reference: Update on the recent Apache Log4j2 vulnerability - Impact on ManageEngine on-premises products

 

CBABenelux

CBABenelux, the One Stop IT tooling & IT Security service partner, is located in Amsterdam Sloterdijk. As a distributor, since 1999, specialized in IT tools for IT management and IT security. CBABenelux has 12 senior IT employees, with in-depth knowledge of all products supplied. We have partnerships with Fortinet, Forcepoint, Kaspersky, ManageEngine and Thales.

CBABenelux can help you implement a fix. Please contact us for more information: Contactform | CBABenelux