Download PDF
Download page Security Advisory: Apache Log4j Vulnerability.
Security Advisory: Apache Log4j Vulnerability
On this page:
Advisory ID: | appd-sa-log4shell | |
First Published: | 2021 December 10 14:00 PST | |
Last Updated: | 2022 January 7 12:00 PST | |
Version 1.26: | Interim | |
Workarounds: | See Product-Specific Information below. | |
CVSS Score: | Base 10.0 (CVE-2021-44228) Base 9.0 (CVE-2021-45046) |
Summary
On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed:
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints.
On December 14, 2021, the following critical vulnerability, which affects certain Apache Log4j use cases in versions 2.15.0 and earlier, was disclosed:
- CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.
On December 17, 2021, Apache disclosed another Log4j vulnerability (CVE-2021-45105) affecting certain versions of Log4j prior to 2.17.
On December 27, 2021, Apache disclosed another Log4j vulnerability (CVE-2021-44832) affecting certain versions of Log4j, up to and including 2.17.
Updates for these newer vulnerabilities are addressed in Security Advisory: CVE-2021-45105 in Apache Log4j.
For detailed descriptions of these vulnerabilities, see Apache Log4j Security Vulnerabilities.
This advisory is intended to address products used by AppDynamics' customers on their premises and may require customers to take action.
The AppDynamics’ SaaS platform is continually monitored and improved. As part of the response to this vulnerability, we have found vulnerable libraries within our SaaS environment and taken mitigation steps to minimize the risk to customers and their data. We have also increased our regular threat hunting and monitoring to catch and investigate any anomalies and have expanded our protections to reduce any potential attack window (e.g. blocking known bad IP addresses, etc.).
Should there be any impact from this vulnerability to our SaaS customers, we will communicate directly with those customers through standard support channels. No further updates regarding SaaS response are expected to be addressed here.
This advisory is available at the following link: https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability
For questions about other Cisco products, see the Cisco Public Advisory.
Affected Products
Vulnerable Products
Apache Web Server Agent
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.
AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).
No mitigation has been tested for this product at this time.
Controller (On-Premises)
See "Enterprise Console / Controller (On-Premises)" below.
Database Agent
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.
AppDynamics recommends customers upgrade to version 21.12.1 (or higher).
Enterprise Console / Controller (On-Premises)
The On-Prem Enterprise Console / Controller includes a Java Agent. The Java Agent included in Enterprise Console prior to 21.4.10 was vulnerable to CVE-2021-44228 and CVE-2021-45046.
AppDynamics recommends that customers upgrade to version 21.4.10 (or higher).
Customers who are unable to upgrade can mitigate the risk of these vulnerabilities in two ways:
- Option A: Upgrade the Controller’s Java Agent to Java Agent JDK8+ 21.11.2. See Upgrade the Java Agent in our Docs for detailed steps. The Controller’s Java Agent is installed in the following directory:
<controller-directory>/appserver/glassfish/domains/domain1/appagent
- Option B: Perform the mitigation steps documented below for the Java Agent.
Java Agent
Java Agent JDK 8+
Versions prior to 21.11.1 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.11.2 are vulnerable to CVE-2021-45046.
AppDynamics recommends that customers using Java Agent JDK 8+ upgrade to Java Agent JDK 8+ 21.11.2 (or higher).
(Please Note: Java Agent JDK8+ does not support JDK6 or JDK7)
Java Agent Legacy - Sun and JRockit
All versions configured for JDK6 are not vulnerable as this configuration uses Log4j 1.x.
Versions prior to 21.11.2 configured for JDK7 or above are vulnerable to CVE-2021-44228 and CVE-2021-45046.
AppDynamics recommends that customers using Java Agent Legacy - Sun and JRockit upgrade to Java Agent Legacy - Sun and JRockit 21.11.2.
Java Agent Legacy - IBM JVM
All versions configured for JDK6 are not vulnerable as this configuration uses Log4j 1.x.
Versions prior to 21.11.2 configured for JDK7 or above are vulnerable to CVE-2021-44228 and CVE-2021-45046.
AppDynamics recommends that customers using Java Agent Legacy - IBM JVM upgrade to Java Agent Legacy - IBM JVM 21.11.2 (or higher).
Mitigation for Java Agent
Applies to Java Agent JDK 8+, Java Agent Legacy - Sun and JRockit, and Java Agent Legacy - IBM JVM
Customers who cannot upgrade to a fixed release of Java Agent may mitigate this risk by removing the JndiLookup class. The following command should be executed in the <version>/lib/tp directory where the agent is installed:
zip -dq log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
This change requires a restart of the application.
Machine Agent
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.
AppDynamics recommends that customers running on Windows upgrade to version 21.12.2 (or higher).
AppDynamics recommends that customers upgrade to version 21.12.1 (or higher) for all other operating systems.
Customers who are unable to upgrade can mitigate the risk from this vulnerability by executing the following command in the Machine Agent install directory:
zip -dq lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
This change requires a restart of the Machine Agent.
Node.js Agent
Versions prior to 21.9 are vulnerable to CVE-2021-44228 and CVE-2021-45046 only if the Java Proxy is enabled. (The Java Proxy is off by default in Node.js Agent 4.5.16 and later).
Customers running Node.js with the proxy enabled can mitigate this vulnerability by making one of the following two changes:
Option A: Disable the Java Proxy:
-Node.js versions 4.5.16 and later: Remove “proxy:true” from the agent configuration (this is the default configuration)
-Node.js versions prior to 4.5.16: Set “libagent:true” in the agent configurationOption B: Check if the file
singularity-log4j.jar
exists in theappdynamics-proxy/proxy/lib/
directory. If it exists, no action required from your end. If it doesn't exist, proceed by removing theJndiLookup
class from theclasspath
. The following command should be executed in the<version>/lib/tp
directory where the agent is installed:zip -dq log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
CODEThis change requires a restart of the application.
PHP Agent
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.
AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).
No mitigation has been tested for this product at this time.
Python Agent
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.
AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).
No mitigation has been tested for this product at this time.
ServiceNow Utility (AppDynamics CMDB Integration)
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).
Need Additional Help?
Our CX teams are here to help if you need additional advice on your remediation steps. Please contact us here by booking a meeting with our team if we can be of any assistance.
Products Confirmed Not Vulnerable
AppDynamics has confirmed that the following products are not affected by CVE-2021-44228 and CVE-2021-45046:
.NET Agent
ABAP Agent (SAP ABAP Monitoring)
Analytics Agent
Browser Real User Monitoring (BRUM)
- C/C++ SDK Agent
- Cluster Agent
- EUM GeoServer
EUM Server
Events Service (On-Prem)
Go Language SDK Agent
IBM Integration Bus Agent (IIB) Agent
- IoT Device SDKs (C/C++, Java, REST API)
- Machine Agent Extensions
Mobile RUM Agent
- Network Agent
Ruby Agent
Synthetic Private Agent (Linux-based)
Synthetic Private Agent (Windows-based)
Synthetic Server
See “Fixed Releases” below for a list of products which have been patched for CVE-2021-44228 and CVE-2021-45046.
Workarounds
Product-specific mitigations are outlined in the Vulnerable Products section above.
Fixed Software
AppDynamics, a Cisco company, has released software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have a current license and have a valid support and maintenance agreement. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of their license agreement with AppDynamics. Security software updates do not entitle customers to a new software license or additional software feature sets.
Customers who have a current license and have a valid support and maintenance agreement can download the fixed version of software from their existing AppDynamics delivery server download account.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to open a support ticket in the AppDynamics Support system.
Fixed Releases
CVE-2021-44228 and CVE-2021-45046 have been fixed in the following releases. See the AppDynamics Download Portal at https://download.appdynamics.com.
- Apache Web Server Agent 21.12.1
- Database Agent 21.12.1
- Enterprise Console 21.4.10
- Java Agent JDK 8+ 21.11.2
- Java Agent Legacy - IBM JVM 21.11.2
- Java Agent Legacy - Sun and JRockit 21.11.2
- Machine Agent for Windows 21.12.2
- Machine Agent for all other Operating Systems 21.12.1
- PHP Agent 21.12.1
- Python Agent 21.12.1
- ServiceNow Utility (AppDynamics CMDB Integration) 21.12.1
Customers who are unable to upgrade to a fixed release should implement any mitigation steps outlined above in the Vulnerable Products section.
Exploitation and Public Announcements
AppDynamics is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
Source
CVE-2021-44228: This vulnerability was publicly disclosed by the Apache Log4j Security Vulnerabilities announcement on December 9, 2021.
CVE-2021-45046: This vulnerability was publicly disclosed by the Apache Log4j Security Vulnerabilities announcement on December 14, 2021.
URL
https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability
Revision History
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.0 | Initial public release. | — | Interim | 2021-DEC-10 14:00 PST |
1.1 | Added more product information. | Affected Products | Interim | 2021-DEC-10 17:00 PST |
1.2 | Added more product information. | Affected Products | Interim | 2021-DEC-10 20:00 PST |
1.3 | Added more product information. | Affected Products | Interim | 2021-DEC-11 01:00 PST |
1.4 | Additional product information and corrected spelling of formatMsgNoLookups setting | Affected Products | Interim | 2021-DEC-11 15:00 PST |
1.5 | Additional product info. Sorted products alphabetically. | Affected Products | Interim | 2021-DEC-11 22:00 PST |
1.6 | Additional product info. | Affected Products | Interim | 2021-DEC-12 18:00 PST |
1.7 | Clarified product versions. Added steps for onprem controller java agent upgrade | Affected Products | Interim | 2021-DEC-13 01:00 PST |
1.8 | Adjusted Java Agent section to better clarify that only the JDK 8+ version is patched All others must be mitigated. | Affected Products | Interim | 2021-DEC-13 08:00 PST |
1.9 | Added additional system parameter variable | Affected Products | Interim | 2021-DEC-13 17:00 PST |
1.10 | Added IoT Device SDKs | Affected Products | Interim | 2021-DEC-13 19:00 PST |
1.11 | Added info about the SaaS environment. Added Java Agent Legacy clarification | Summary, Affected Products | Interim | 2021-DEC-13 22:00 PST |
1.12 | Added Ruby, Go Lang. Expanded product names for clarification | Affected Products | Interim | 2021-DEC-14 10:00 PST |
1.13 | Modified node.js instructions. Added info about CVE-2021-45046 | Summary, Affected Products | Interim | 2021-DEC-14 13:30 PST |
1.14 | Updated guidance for Java Agent & Machine Agent | Affected Products | Interim | 2021-DEC-14 18:00 PST |
1.15 | Updated Apache, Node.js, Python, PHP information, pending upgrade versions. | Affected Products | Interim | 2021-DEC-14 18:30 PST |
1.16 | Additional product info. | Affected Products | Interim | 2021-DEC-15 05:00 PST |
1.17 | Updated guidance for Java Agent, Machine Agent, Machine Agent for Windows, Node.js, and Products Confirmed Not Vulnerable | Affected Products | Interim | 2021-DEC-15 10:30 PST |
1.18 | Clarification for Java Agents running JDK6, Machine Agent Extensions under investigation | Affected Products | Interim | 2021-DEC-15 19:30 PST |
1.19 | Clarification on Machine Agent versions, Additional Assistance information | Affected Products | Interim | 2021-DEC-16 12:30 PST |
1.20 | Moved ServiceNow Agent to "under investigation" | Affected Products | Interim | 2021-DEC-16 14:30 PST |
1.21 | Published ServiceNow utility version | Affected Products | Interim | 2021-DEC-16 19:30 PST |
1.22 | Added Enterprise Console. Minor clarifying changes. | Summary, Affected Products | Interim | 2021-DEC-17 14:30 PST |
1.23 | Added CVE-2021-45105. | Summary | Interim | 2021-DEC-18 09:30 PST |
1.24 | Added link to advisory for CVE-2021-45105. | Summary | Interim | 2021-DEC-20 15:30 PST |
1.25 | Clarification on Synthetic Private Agent versions | Affected Products | Interim | 2021-DEC-21 02:00 PST |
1.26 | Added note about CVE-2021-44832. | Summary | Interim | 2022-JAN-07 12:00 PST |
LEGAL DISCLAIMER
ANY SOFTWARE OR RELEASES, INCLUDING BUT NOT LIMITED TO PATCHES, UPGRADES, AND HOTFIXES, MENTIONED IN THIS SECURITY ADVISORY IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. APPDYNAMICS DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT THERETO, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL APPDYNAMICS, ITS AFFILIATES, OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS, OR SPECIAL DAMAGES, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY TO YOU.
THE INFORMATION PROVIDED IN THIS SECURITY ADVISORY IS FOR INFORMATIONAL PURPOSES ONLY AND IN NO WAY SHALL BE CONSTRUED AS AN ALTERATION OF APPDYNAMICS’ EXISTING CONTRACTUAL OBLIGATIONS WITH ITS END USERS REGARDING VULNERABILITY MANAGEMENT OR OTHERWISE. END USERS ARE ENCOURAGED TO READ THE REQUIREMENTS SET FORTH HEREIN AND PERFORM THEIR OWN ANALYSIS OF THE APPLICABILITY AND IMPACT OF THE INFORMATION WITH RESPECT TO THEIR SPECIFIC CONFIGURATION AND USE CASE OF THE APPDYNAMICS SOFTWARE.