Log4j affects thousands of companies worldwide!
The Internet is being shaken up by a bug in Log4j. The leak was given the name Log4Shell and impacts almost all software vendors and thus many companies worldwide.
If you want to read more in detail about the Apache CVE-2021-44228, read the "Technical Advisory: Zero-day critical vulnerability in Log4j2 exploited in the wild" written by Martin Zugec
Because many vendors and software packages use the log4j component, this needs your immediate attention.
Below you will find the information about Log4j impact of the following vendors;
Do you want to get notified about future Critical Product Notifications?
Subscribe to our free service that will inform you about future security patches and critical updates.
Rubrik
Rubrik has issued a new critical security bulletin RBK-20211210-V0030, in response to industry issues regarding the open-source Apache Software Foundation log4j Java logging component, a critical vulnerability with a CVSSv3 score of 10 out of 10, named CVE-2021-44228.
Rubrik has determined that Polaris and all CDM 6.0, 5.3, and 5.2 versions are not vulnerable using known LDAP server attack vectors. All current Rubrik software platform versions run JDK versions, which are not affected by the Log4j vulnerability. In addition, Rubrik used known LDAP attack vectors to conduct multiple proof-of-concept attacks on Rubrik Polaris and CDM, but none of them were successful.
Although CDM and Polaris cannot be directly exploited through the LDAP attack vector, Rubrik plans to release a patch to apply the recommended Log4j changes by setting the “log4j2.formatMsgNoLookups” system property. Once the CDM patch is available (CDM 6.0.2-p1, 5.3.3-p5, and 5.2.3-p8), Rubrik recommends that all customers arrange to upgrade to the latest CDM version. Rubrik will automatically deploy the changes to all Polaris environments. The CDM patch and Polaris platform update will be available from December 13, 2021, as Rubrik will complete the test over the weekend.
Workaround:
No workaround
VMWARE
VMware has issued a new critical security bulletin VMSA-2021-0028 in response to industry issues regarding the open-source Apache Software Foundation log4j Java logging component, a critical vulnerability with a CVSSv3 score of 10 out of 10, named CVE-2021-44228.
What VMware products are impacted?
This list is not yet final and therefore subject to change.
VMware Horizon
VMware vCenter Server
VMware HCX
VMware NSX-T Data Center
VMware Unified Access Gateway
VMware WorkspaceOne Access
VMware Identity Manager
VMware vRealize Operations
VMware vRealize Operations Cloud Proxy
VMware vRealize Log Insight
VMware vRealize Automation
VMware vRealize Lifecycle Manager
VMware Telco Cloud Automation
VMware Site Recovery Manager, vSphere Replication
VMware Carbon Black Cloud Workload Appliance
VMware Carbon Black EDR Server
VMware Tanzu GemFire
VMware Tanzu Greenplum
VMware Tanzu Operations Manager
VMware Tanzu Application Service for VMs
VMware Tanzu Kubernetes Grid Integrated Edition
VMware Tanzu Observability by Wavefront Nozzle
Healthwatch for Tanzu Application Service
Spring Cloud Services for VMware Tanzu
Spring Cloud Gateway for VMware Tanzu
Spring Cloud Gateway for Kubernetes
API Portal for VMware Tanzu
Single Sign-On for VMware Tanzu Application Service
App Metrics
VMware vCenter Cloud Gateway
VMware Tanzu SQL with MySQL for VMs
VMware vRealize Orchestrator
VMware Cloud Foundation
VMware Workspace ONE Access Connector
VMware Horizon DaaS
VMware Horizon Cloud Connector
VMware NSX Data Center for vSphere
VMware AppDefense Appliance
Resolution:
Fixes for CVE-2021-44228 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ here: https://www.vmware.com/security/advisories/VMSA-2021-0028.html.
Workaround:
Workarounds for CVE-2021-44228 are documented in the ‘Workarounds’ column of the ‘Response Matrix’ here: https://www.vmware.com/security/advisories/VMSA-2021-0028.html.
Nutanix
Nutanix has issued a new critical security bulletin Security Advisory 0023, in response to industry issues regarding the open-source Apache Software Foundation log4j Java logging component, a critical vulnerability with a CVSSv3 score of 10 out of 10, named CVE-2021-44228.
This list is not yet final and therefore subject to change.
AOS (All supported versions)
Prism Central (All supported versions)
Volumes (All supported versions)
Sizer
All other services are being investigated.
Resolution:
No solution is yet available.
Workaround:
Currently, there is no workaround available. Nutanix saas-based applications have WAF filters enabled to provide protection temporarily.
Please keep an eye on this advisory, as Nutanix will update that document if a patch/ workaround is available. Security_Advisory_0023
Citrix
Citrix has issued a new critical security bulletin CTX335705 in response to industry issues regarding the open-source Apache Software Foundation log4j Java logging component, a critical vulnerability with a CVSSv3 score of 10 out of 10, named CVE-2021-44228.
As of this moment, no Citrix products are known to be impacted.
However, Citrix is still investigating the possible impact of this vulnerability on its products.
Resolution:
Please keep an eye on this Citrix article to stay up to date about the impact on Citrix products: https://support.citrix.com/article/CTX335705
Workaround:
Please keep an eye on this Citrix article to stay up to date about the impact on Citrix products: https://support.citrix.com/article/CTX335705
NVIDIA
- vGPU Software License Server 2021.07 and 2020.05 Update 1
Workaround:
To mitigate this issue, please follow the instructions in “Log4j Java Vulnerability (CVE-2021-44228) for Legacy vGPU Software License Server” in the NVIDIA knowledge base, which you can find here: https://enterprise-support.nvidia.com/s/article/Log4j-Java-Vulnerability-CVE-2021-44228-for-vGPU-Legacy-License-Server
Awingu
Awingu has issued a new critical security bulletin in response to industry issues regarding the open-source Apache Software Foundation log4j Java logging component, a critical vulnerability with a CVSSv3 score of 10 out of 10 named CVE-2021-44228.
What Awingu products are impacted:
Awingu appliance
Resolution:
The Awingu 5.4.2 maintenance release is now live. We recommend upgrading as soon as possible.
Workaround:
None.