Last updated: 20 December 2021 @ 9:38am Singapore time.
Update on 16 December 2021: This advisory is being updated to include a second newly discovered vulnerability affecting Apache Log4j, which has been assigned a separate CVE ID: CVE-2021-45046.
===
This advisory is provided as a courtesy.
We would like to bring to your attention two newly discovered critical zero-day vulnerabilities affecting the Apache Log4j library (CVE-2021-44228 and CVE-2021-45046). The CVE-2021-44228 vulnerability has been assigned with a CVSS severity level of 10 out of 10.
While you might not use the Log4j library directly, many software and applications are currently using this library to log messages, therefore there's a chance that some software and/or application products that you are using might be affected.
You are advised to check with the vendors of any software and/or application products that you are using, to see if their products are affected. This issue affects log4j versions between 2.0 and 2.15.0. To resolve the vulnerability, the log4j needs to be upgraded to the latest version 2.16.0. Most of the affected products are Unix/Linux-based platform applications using Java.
More information:
CVE-2021-44228:
Apache Log4j Security Vulnerabilities
CVE-2021-44228
Critical vulnerability in Apache Log4j library
CVE-2021-45046:
CVE-2021-45046
Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released
Affected software (source):
Apache Log4j versions between 2.0 and 2.15.0.
How to Fix the Problem
Update your Apache Log4j to version 2.16.0.
State of SimplerCloud's Cloud and Network Infrastructure
As of 16 December 2021, our check shows that SimplerCloud's cloud and network infrastructure is not affected by both vulnerabilities on the infrastructure level.
Other Software / Applications:
The state of some other popular software/application products which are commonly used by us and our customers, and might be affected by this vulnerability, is listed below. The list is not exhausted and we might add more information to the list later.
1. VMware
The vulnerability affects VMware vCenter Server and some other VMware products. As of 16 December 2021 morning (Singapore time), the vCenter server patch to address both vulnerabilities is not yet released. Two separate workaround patches are available to mitigate both CVE-2021-44228 and CVE-2021-45046.
More details:
VMSA-2021-0028 & Log4j: What You Need to Know
VMware Advisory
Workaround
2. FortiNet FortiGate
FortiNet has confirmed that FortiOS used in FortiGate firewall/UTM appliances are not affected.
FortiGuard - Apache log4j2 log messages substitution (CVE-2021-44228)
3. Microsoft
So far we do not see that any Microsoft Windows operating systems and popular Microsoft applications are directly impacted by both vulnerabilities. Most of Microsoft's impacted products are coming from their Azure line of products.
Microsoft’s Response to CVE-2021-44228 Apache Log4j 2
4. Cloudflare
Cloudflare has secured its internal infrastructure to mitigate the vulnerability. Three new Web Application Firewall (WAF) rules have been added to mitigate any exploit attempt to sites using Cloudflare services, which is also effective in mitigating the second vulnerability as well.
How Cloudflare security responded to Log4j 2 vulnerability
CVE-2021-44228 - Log4j RCE 0-day mitigation
Protection against CVE-2021-45046, the additional Log4j RCE vulnerability
5. Cisco
Cisco has confirmed that the Cisco IOS operating system used by many Cisco routers and switches is not affected by the vulnerability. It does affect some other Cisco products such as Cisco Webex Meetings Server and some other products.
Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021
6. cPanel
In general, WHM/cPanel is not affected by both vulnerabilities unless if the SOLR plugin is installed. Nevertheless, you are advised to update WHM/cPanel to the latest version to resolve the issue.
ApacheSolr vulnerability CVE-2021-44228 for Log4j
ApacheSolr vulnerability CVE-2021-45046 for Log4j
log4j CVE-2021-44228, does it affect Cpanel?
cPanel & log4j vulnerability (CVE-2021-44228)
7. DirectAdmin
DirectAdmin confirmed that they do not use Log4j anywhere in their applications, so it's not affected by the vulnerability.
DirectAdmin forum: New zero-day exploit for Log4j Java library is an enterprise nightmare
8. Plesk
Plesk does not use Java internally, so it is not affected by this vulnerability.
Is Plesk affected by CVE-2021-44228 vulnerability in log4j package of Apache?
9. Apache CloudStack
The Apache Log4j developers and the SLF4J project advisory confirm that Apache Log4j 1.x does not offer a look-up mechanism and does not suffer remote code execution (RCE) vulnerability from CVE-2021-44228.
All Apache CloudStack releases since v4.6 use Apache Log4j version 1.2.17 and therefore are not affected by this RCE vulnerability. Most users who haven't changed the default log4j xml config don't need to do anything, advanced users can check and fix their log4j xml configuration if they're using any custom JMS appenders.
CloudStack Advisory on Apache Log4j Zero Day (CVE-2021-44228)
10. Apache Web Server
From what we understand, Apache Web Server (httpd) is not affected by the vulnerability. log4j is an Apache Software Foundation project but isn’t directly connected to the Apache webserver in any other way.
Is Apache Web Server affected?
11. WordPress CMS, Themes and Plug-Ins
WordPress is not using any Java components (not confusing it with Javascript), therefore it's not affected by the vulnerability. All WordPress plugins and themes are also not affected.
??
English
Bahasa Indonesia
???
Espanol