Advisory ID:

appd-sa-log4j-cve-2021-45105

CVE-2021-45105
First Published:

2021 December 20 13:00 PST

On this page:

Last Updated:

2022 January 7 09:30 PST

Version 1.7:

Interim

Workarounds:

See Product-Specific Information below.

CVSS Score:

Base 5.9

Summary

On December 17, 2021, the following high severity vulnerability was disclosed by Apache:

  • CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.

This CVE was later downgraded to a Medium severity. For a detailed description of this vulnerability, see the Apache Log4j Security Vulnerabilities page.

This advisory is intended to address products used by AppDynamics' customers on their premises and which may require customers to take action.

The AppDynamics’ SaaS platform is continually monitored and improved. Should there be any impact from this vulnerability to our SaaS customers, we will communicate directly with those customers through standard support channels. No further updates regarding SaaS response are expected to be addressed here.

This advisory is available at the following link: Security Advisory: CVE-2021-45105 in Apache Log4j  

For information about how AppDynamics products were affected by vulnerabilities in Log4j versions prior to 2.16 (CVE-2021-44228 and CVE-2021-45046, specifically), see our Security Advisory: Apache Log4j Vulnerability

On December 27, 2021, Apache disclosed a new Medium-severity Log4j vulnerability (CVE-2021-44832) affecting certain versions of Log4j, up to and including 2.17. While CVE-2021-44832 is a Medium-severity vulnerability, AppDynamics is prioritizing releases that include Log4j 2.17.1.

Customers who wish to upgrade to a product that includes Log4j 2.17.1 can see the product-specific information below.

For questions about other Cisco products, see the Cisco Public Advisory

Affected Products

Products Under Investigation

At this time, there are no products under active investigation. AppDynamics continues to monitor this situation and will update this document as information becomes available.

Vulnerable Products

Apache Web Server Agent

The default Log4j configuration shipped with all versions of this agent is not vulnerable to this CVE because the agent does not include Patterns that involve Context lookups. Customers who have not modified the default configuration are not at risk from this vulnerability.

Customers who want to deploy an agent that uses Log4j 2.17 may upgrade to version 21.12.3.

Customers who want to deploy an agent that uses Log4j 2.17.1 may upgrade to version 22.1.0.

Database Agent

Versions prior to 21.12.2 may be vulnerable to this CVE. Version 21.12.2 includes an upgrade of Log4j to 2.17.

AppDynamics recommends that customers upgrade to version 21.12.2 (or higher). 

Customers who want to deploy an agent that uses Log4j 2.17.1 may upgrade to version 21.12.4.

Enterprise Console / Controller (On-Premises)

The On-Prem Enterprise Console / Controller includes a Java Agent. The Java Agent included in Enterprise Console 21.4.10 is not vulnerable to this CVE because the agent does not include Patterns that involve Context lookups. Customers who have not modified the default configuration are not at risk from this vulnerability.

Customers who want to deploy a Java Agent with log4j 2.17 can upgrade the Controller's Java Agent to a fixed release. See "Java Agent" below, and reference Upgrade the Java Agent in our Docs for detailed steps. The Controller’s Java Agent is installed in the following directory:

<controller-directory>/appserver/glassfish/domains/domain1/appagent 

Java Agent

The default Log4j configuration shipped with all versions of Java Agent is not vulnerable to this CVE because the agent does not include Patterns that involve Context lookups. Customers who have not modified the default configuration are not at risk from this vulnerability.

Customers who want to deploy an agent that uses Log4j 2.17 may upgrade to version 21.11.3.

Customers who want to deploy an agent that uses Log4j 2.17.1 or Log4j 2.12.4 (for JDK 7 versions) may upgrade to version 21.11.4.

Machine Agent

Machine Agent is not vulnerable to this CVE because the agent does not include Patterns that involve Context lookups.

Customers who want to deploy an agent that uses Log4j 2.17 may upgrade to version 21.12.4.

Customers who want to deploy an agent that uses Log4j 2.17.1 may upgrade to version 21.12.5.

Machine Agent Extensions

Versions of the CA Siteminder Extension (ca-siteminder-monitoring-extension) prior to 2.0.2 are vulnerable to this CVE. AppDynamics recommends that customers obtain version 2.0.2 (or higher) from our GitHub repository at https://github.com/Appdynamics/ca-siteminder-monitoring-extension.

Node.js Agent

The default Log4j configuration shipped with this agent is not vulnerable to this CVE because:

  • the Java Proxy is not enabled by default (versions 4.5.16 and later)
  • the Java proxy, in its default configuration, does not include Patterns that involve Context lookups. Customers who have not modified the default configuration are not at risk from this vulnerability.

Customers running Node.js Agent with the Java Proxy enabled can disable it:

  • Node.js versions 4.5.16 and later: Remove “proxy:true” from the agent configuration
  • Node.js versions prior to 4.5.16: Set “libagent:true” in the agent configuration

PHP Agent

The default Log4j configuration shipped with all versions of this agent is not vulnerable to this CVE because the agent does not include Patterns that involve Context lookups. Customers who have not modified the default configuration are not at risk from this vulnerability.

Customers who want to deploy an agent that uses Log4j 2.17 may upgrade to version 21.12.2.

Customers who want to deploy an agent that uses Log4j 2.17.1 may upgrade to version 22.1.0.

Python Agent

The default Log4j configuration shipped with all versions of this agent is not vulnerable to this CVE because the agent does not include Patterns that involve Context lookups. Customers who have not modified the default configuration are not at risk from this vulnerability.

Customers who want to deploy an agent that uses Log4j 2.17 may upgrade to version 21.12.2.

Customers who want to deploy an agent that uses Log4j 2.17.1 may upgrade to version 22.1.0.

ServiceNow Utility (AppDynamics CMDB Integration)

Versions prior to 21.12.2 may be vulnerable to this CVE. Version 21.12.2 includes an upgrade of Log4j to 2.17.

AppDynamics recommends that customers upgrade to version 21.12.2 (or higher)

Products Confirmed Not Vulnerable 

AppDynamics has confirmed that the following products are not affected by this vulnerability:

  • .NET Agent
  • ABAP Agent (SAP ABAP Monitoring)
  • Analytics Agent
  • Browser Real User Monitoring (BRUM)
  • C/C++ SDK Agent
  • Cluster Agent
  • EUM GeoServer

  • EUM Server

  • Events Service (On-Prem)

  • Go Language SDK Agent

  • IBM Integration Bus Agent (IIB) Agent

  • IoT Device SDKs (C/C++, Java, REST API)
  • Mobile RUM Agent
  • Network Agent

  • Ruby Agent

  • Synthetic Private Agent (Linux-based)

  • Synthetic Private Agent (Windows-based)

  • Synthetic Server

See “Fixed Releases” below for a list of products which have been patched for this vulnerability.

Need Additional Help?

Our CX teams are here to help if you need additional advice on your remediation steps. Please contact us here by booking a meeting with our team if we can be of any assistance.

Workarounds

Any product-specific mitigations are outlined in the Vulnerable Products section above.

Fixed Software

AppDynamics, a Cisco company, has released software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have a current license and have a valid support and maintenance agreement. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of their license agreement with AppDynamics. Security software updates do not entitle customers to a new software license or additional software feature sets.

Customers who have a current license and have a valid support and maintenance agreement can download the fixed version of software from their existing AppDynamics delivery server download account.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to open a support ticket in the AppDynamics Support system.

Fixed Releases

This vulnerability has been fixed in the following releases. See the AppDynamics Download Portal at https://download.appdynamics.com.

  • Apache Web Server Agent 21.12.3 (version 22.1.0 includes log4j 2.17.1)
  • Database Agent 21.12.2 (version 21.12.4 includes log4j 2.17.1)
  • Java Agent JDK 8+ 21.11.3 (version 21.11.4 includes log4j 2.17.1)
  • Java Agent Legacy - IBM JVM 21.11.3 (version 21.11.4 includes log4j 2.12.4)
  • Java Agent Legacy - Sun and JRockit 21.11.3 (version 21.11.4 includes log4j 2.12.4)
  • Machine Agent 21.12.4 (version 21.12.5 includes log4j 2.17.1)
  • PHP Agent 2.12.2 (version 22.1.0 includes log4j 2.17.1)
  • Python Agent 21.12.2 (version 22.1.0 includes log4j 2.17.1)
  • ServiceNow Utility (AppDynamics CMDB Integration) 21.12.2

Customers who are unable to upgrade to a fixed release should implement any mitigation steps outlined above in the Vulnerable Products section.

Exploitation and Public Announcements

AppDynamics is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

Source

CVE-2021-45105: This vulnerability was publicly disclosed by the Apache Log4j Security Vulnerabilities announcement on December 17, 2021.

CVE-2021-44832: This vulnerability was publicly disclosed by the Apache Log4j Security Vulnerabilities announcement on December 28, 2021.


URL

Security Advisory: CVE-2021-45105 in Apache Log4j

Revision History

VersionDescriptionSectionStatusDate
1.0Initial public release.Interim

2021-DEC-20 13:00 PST

1.1Clarification on Synthetic Private Agent versionsProducts Not VulnerableInterim2021-DEC-21 02:00 PST
1.2Updated guidance for Database and Python Agents and Machine Agent ExtensionsAffected ProductsInterim2021-DEC-21 03:00 PST
1.3Added info for more agents and Enterprise Console.Affected ProductsInterim2021-DEC-21 10:00 PST
1.4Corrected new release version for Apache, PHP, and Python agents.Affected ProductsInterim2021-DEC-21 14:00 PST
1.5Added new information regarding Machine Agent.Affected ProductsInterim2021-DEC-21 15:30 PST
1.6Added statement regarding CVE-2021-44832.SummaryInterim2022-JAN-07 00:30 PST
1.7Added info on products with log4j 2.17.1.Summary, Affected ProductsInterim2022-JAN-07 09:30 PST

LEGAL DISCLAIMER

ANY SOFTWARE OR RELEASES, INCLUDING BUT NOT LIMITED TO PATCHES, UPGRADES, AND HOTFIXES, MENTIONED IN THIS SECURITY ADVISORY IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. APPDYNAMICS DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT THERETO, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL APPDYNAMICS, ITS AFFILIATES, OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS, OR SPECIAL DAMAGES, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY TO YOU. 

THE INFORMATION PROVIDED IN THIS SECURITY ADVISORY IS FOR INFORMATIONAL PURPOSES ONLY AND IN NO WAY SHALL BE CONSTRUED AS AN ALTERATION OF APPDYNAMICS’ EXISTING CONTRACTUAL OBLIGATIONS WITH ITS END USERS REGARDING VULNERABILITY MANAGEMENT OR OTHERWISE. END USERS ARE ENCOURAGED TO READ THE REQUIREMENTS SET FORTH HEREIN AND PERFORM THEIR OWN ANALYSIS OF THE APPLICABILITY AND IMPACT OF THE INFORMATION WITH RESPECT TO THEIR SPECIFIC CONFIGURATION AND USE CASE OF THE APPDYNAMICS SOFTWARE.