Log4j affects thousands of companies worldwide!

The Internet is being shaken up by a bug in Log4j. The leak was given the name Log4Shell and impacts almost all software vendors and thus many companies worldwide.

If you want to read more in detail about the Apache CVE-2021-44228, read the "Technical Advisory: Zero-day critical vulnerability in Log4j2 exploited in the wild" written by Martin Zugec

You can do an application vulnerability check again this list for all known affected software. "List of software (un)affected by the log4shell CVEs"

Agisko - Social - How to protect against Log4j Vulnerability-Medium-Quality

Because many vendors and software packages use the log4j component, this needs your immediate attention.

Below you will find the information about Log4j impact of the following vendors;

Rubrik
Nutanix
VMware
Citrix
NVIDIA
Awingu

Do you want to get notified about future Critical Product Notifications?

Subscribe to our free service that will inform you about future security patches and critical updates.

Rubrik

Rubrik has issued a new critical security bulletin RBK-20211210-V0030, in response to industry issues regarding the open-source Apache Software Foundation log4j Java logging component, a critical vulnerability with a CVSSv3 score of 10 out of 10, named CVE-2021-44228.

What Rubrik products are impacted?

Rubrik has determined that Polaris and all CDM 6.0, 5.3, and 5.2 versions are not vulnerable using known LDAP server attack vectors. All current Rubrik software platform versions run JDK versions, which are not affected by the Log4j vulnerability. In addition, Rubrik used known LDAP attack vectors to conduct multiple proof-of-concept attacks on Rubrik Polaris and CDM, but none of them were successful.

Resolution:

Although CDM and Polaris cannot be directly exploited through the LDAP attack vector, Rubrik plans to release a patch to apply the recommended Log4j changes by setting the “log4j2.formatMsgNoLookups” system property. Once the CDM patch is available (CDM 6.0.2-p1, 5.3.3-p5, and 5.2.3-p8), Rubrik recommends that all customers arrange to upgrade to the latest CDM version. Rubrik will automatically deploy the changes to all Polaris environments. The CDM patch and Polaris platform update will be available from December 13, 2021, as Rubrik will complete the test over the weekend.

More information can be found here: https://support.rubrik.com/s/announcementdetail?Id=a406f000001PwOcAAK

Workaround:
No workaround

VMWARE

VMware has issued a new critical security bulletin VMSA-2021-0028 in response to industry issues regarding the open-source Apache Software Foundation log4j Java logging component, a critical vulnerability with a CVSSv3 score of 10 out of 10, named CVE-2021-44228.

What VMware products are impacted?

This list is not yet final and therefore subject to change.

VMware Horizon
VMware vCenter Server
VMware HCX
VMware NSX-T Data Center
VMware Unified Access Gateway
VMware WorkspaceOne Access
VMware Identity Manager
VMware vRealize Operations
VMware vRealize Operations Cloud Proxy
VMware vRealize Log Insight
VMware vRealize Automation
VMware vRealize Lifecycle Manager
VMware Telco Cloud Automation
VMware Site Recovery Manager, vSphere Replication
VMware Carbon Black Cloud Workload Appliance
VMware Carbon Black EDR Server
VMware Tanzu GemFire
VMware Tanzu Greenplum
VMware Tanzu Operations Manager
VMware Tanzu Application Service for VMs
VMware Tanzu Kubernetes Grid Integrated Edition
VMware Tanzu Observability by Wavefront Nozzle
Healthwatch for Tanzu Application Service
Spring Cloud Services for VMware Tanzu
Spring Cloud Gateway for VMware Tanzu
Spring Cloud Gateway for Kubernetes
API Portal for VMware Tanzu
Single Sign-On for VMware Tanzu Application Service
App Metrics
VMware vCenter Cloud Gateway
VMware Tanzu SQL with MySQL for VMs
VMware vRealize Orchestrator
VMware Cloud Foundation
VMware Workspace ONE Access Connector
VMware Horizon DaaS
VMware Horizon Cloud Connector
VMware NSX Data Center for vSphere
VMware AppDefense Appliance

Resolution:
Fixes for CVE-2021-44228 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ here: https://www.vmware.com/security/advisories/VMSA-2021-0028.html.

Workaround:
Workarounds for CVE-2021-44228 are documented in the ‘Workarounds’ column of the ‘Response Matrix’ here: https://www.vmware.com/security/advisories/VMSA-2021-0028.html.

Nutanix

Nutanix has issued a new critical security bulletin Security Advisory 0023, in response to industry issues regarding the open-source Apache Software Foundation log4j Java logging component, a critical vulnerability with a CVSSv3 score of 10 out of 10, named CVE-2021-44228.

What Nutanix products are impacted?

This list is not yet final and therefore subject to change.

AOS (All supported versions)
Prism Central (All supported versions)
Volumes (All supported versions)
Sizer

All other services are being investigated.

Resolution:
No solution is yet available.

Workaround:
Currently, there is no workaround available. Nutanix saas-based applications have WAF filters enabled to provide protection temporarily.

Please keep an eye on this advisory, as Nutanix will update that document if a patch/ workaround is available. Security_Advisory_0023

Citrix

Citrix has issued a new critical security bulletin CTX335705 in response to industry issues regarding the open-source Apache Software Foundation log4j Java logging component, a critical vulnerability with a CVSSv3 score of 10 out of 10, named CVE-2021-44228.

What Citrix products are impacted?

As of this moment, no Citrix products are known to be impacted.

However, Citrix is still investigating the possible impact of this vulnerability on its products.

Resolution:
Please keep an eye on this Citrix article to stay up to date about the impact on Citrix products: https://support.citrix.com/article/CTX335705

Workaround:
Please keep an eye on this Citrix article to stay up to date about the impact on Citrix products: https://support.citrix.com/article/CTX335705

NVIDIA

NVIDIA has issued a new critical security bulletin 5293 in response to industry issues regarding the open-source Apache Software Foundation log4j Java logging component, a critical vulnerability with a CVSSv3 score of 10 out of 10 named CVE-2021-44228.

What NVIDIA products are impacted:

vGPU Software License Server 2021.07 and 2020.05 Update 1

Resolution:

None.

Workaround:
To mitigate this issue, please follow the instructions in “Log4j Java Vulnerability (CVE-2021-44228) for Legacy vGPU Software License Server” in the NVIDIA knowledge base, which you can find here: https://enterprise-support.nvidia.com/s/article/Log4j-Java-Vulnerability-CVE-2021-44228-for-vGPU-Legacy-License-Server

Awingu

Awingu has issued a new critical security bulletin in response to industry issues regarding the open-source Apache Software Foundation log4j Java logging component, a critical vulnerability with a CVSSv3 score of 10 out of 10 named CVE-2021-44228.

What Awingu products are impacted:
Awingu appliance

Resolution:
The Awingu 5.4.2 maintenance release is now live. We recommend upgrading as soon as possible.

Workaround:
None.

Subscribe to our blog