On this page:


Advisory ID:

appd-sa-log4shell

First Published:

2021 December 10 14:00 PST

Last Updated:

2022 January 7 12:00 PST

Version 1.26:

Interim

Workarounds:

See Product-Specific Information below.

CVSS Score:

Base 10.0 (CVE-2021-44228)

Base 9.0 (CVE-2021-45046)

Summary

On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed:

  • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints.

On December 14, 2021, the following critical vulnerability, which affects certain Apache Log4j use cases in versions 2.15.0 and earlier, was disclosed:

  • CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

On December 17, 2021, Apache disclosed another Log4j vulnerability (CVE-2021-45105) affecting certain versions of Log4j prior to 2.17.

On December 27, 2021, Apache disclosed another Log4j vulnerability (CVE-2021-44832) affecting certain versions of Log4j, up to and including 2.17.

Updates for these newer vulnerabilities are addressed in Security Advisory: CVE-2021-45105 in Apache Log4j.

For detailed descriptions of these vulnerabilities, see Apache Log4j Security Vulnerabilities.

This advisory is intended to address products used by AppDynamics' customers on their premises and may require customers to take action.

The AppDynamics’ SaaS platform is continually monitored and improved. As part of the response to this vulnerability, we have found vulnerable libraries within our SaaS environment and taken mitigation steps to minimize the risk to customers and their data. We have also increased our regular threat hunting and monitoring to catch and investigate any anomalies and have expanded our protections to reduce any potential attack window (e.g. blocking known bad IP addresses, etc.).

Should there be any impact from this vulnerability to our SaaS customers, we will communicate directly with those customers through standard support channels. No further updates regarding SaaS response are expected to be addressed here.

This advisory is available at the following link: https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability

For questions about other Cisco products, see the Cisco Public Advisory

Affected Products

Vulnerable Products

Apache Web Server Agent

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.

AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).

No mitigation has been tested for this product at this time. 

Controller (On-Premises)

See "Enterprise Console / Controller (On-Premises)" below.

Database Agent

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.

AppDynamics recommends customers upgrade to version 21.12.1 (or higher). 

Enterprise Console / Controller (On-Premises)

The On-Prem Enterprise Console / Controller includes a Java Agent. The Java Agent included in Enterprise Console prior to 21.4.10 was vulnerable to CVE-2021-44228 and CVE-2021-45046.

AppDynamics recommends that customers upgrade to version 21.4.10 (or higher).

Customers who are unable to upgrade can mitigate the risk of these vulnerabilities in two ways:

  • Option A: Upgrade the Controller’s Java Agent to Java Agent JDK8+ 21.11.2. See Upgrade the Java Agent in our Docs for detailed steps. The Controller’s Java Agent is installed in the following directory:

<controller-directory>/appserver/glassfish/domains/domain1/appagent

  • Option B: Perform the mitigation steps documented below for the Java Agent.

Java Agent

Java Agent JDK 8+

Versions prior to 21.11.1 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.11.2 are vulnerable to CVE-2021-45046.

AppDynamics recommends that customers using Java Agent JDK 8+ upgrade to Java Agent JDK 8+ 21.11.2 (or higher).

(Please Note: Java Agent JDK8+ does not support JDK6 or JDK7)

Java Agent Legacy - Sun and JRockit

All versions configured for JDK6 are not vulnerable as this configuration uses Log4j 1.x.

Versions prior to 21.11.2 configured for JDK7 or above are vulnerable to CVE-2021-44228 and CVE-2021-45046.

AppDynamics recommends that customers using Java Agent Legacy - Sun and JRockit upgrade to Java Agent Legacy - Sun and JRockit 21.11.2.

Java Agent Legacy - IBM JVM

All versions configured for JDK6 are not vulnerable as this configuration uses Log4j 1.x.

Versions prior to 21.11.2 configured for JDK7 or above are vulnerable to CVE-2021-44228 and CVE-2021-45046.

AppDynamics recommends that customers using Java Agent Legacy - IBM JVM upgrade to Java Agent Legacy - IBM JVM 21.11.2 (or higher).

Mitigation for Java Agent

Applies to Java Agent JDK 8+, Java Agent Legacy - Sun and JRockit, and Java Agent Legacy - IBM JVM

Customers who cannot upgrade to a fixed release of Java Agent may mitigate this risk by removing the JndiLookup class. The following command should be executed in the <version>/lib/tp directory where the agent is installed: 

zip -dq log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
CODE

This change requires a restart of the application.

Machine Agent

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.

AppDynamics recommends that customers running on Windows upgrade to version 21.12.2 (or higher).

AppDynamics recommends that customers upgrade to version 21.12.1 (or higher) for all other operating systems.

Customers who are unable to upgrade can mitigate the risk from this vulnerability by executing the following command in the Machine Agent install directory:


zip -dq lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class 
CODE

This change requires a restart of the Machine Agent.

Node.js Agent

Versions prior to 21.9 are vulnerable to CVE-2021-44228 and CVE-2021-45046 only if the Java Proxy is enabled. (The Java Proxy is off by default in Node.js Agent 4.5.16 and later).

Customers running Node.js with the proxy enabled can mitigate this vulnerability by making one of the following two changes:

  • Option A: Disable the Java Proxy:
    -Node.js versions 4.5.16 and later: Remove “proxy:true” from the agent configuration (this is the default configuration)
    -Node.js versions prior to 4.5.16: Set “libagent:true” in the agent configuration

  • Option BCheck if the file singularity-log4j.jar exists in the appdynamics-proxy/proxy/lib/ directory. If it exists, no action required from your end. If it doesn't exist, proceed by removing the JndiLookup class from the classpath. The following command should be executed in the <version>/lib/tp directory where the agent is installed:

    zip -dq log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    CODE

    This change requires a restart of the application.

PHP Agent

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.

AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).

No mitigation has been tested for this product at this time.

Python Agent

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.

AppDynamics recommends that customers upgrade to version 21.12.1 (or higher). 

No mitigation has been tested for this product at this time.

ServiceNow Utility (AppDynamics CMDB Integration)

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

AppDynamics recommends that customers upgrade to version 21.12.1 (or higher)

Need Additional Help?

Our CX teams are here to help if you need additional advice on your remediation steps. Please contact us here by booking a meeting with our team if we can be of any assistance.

Products Confirmed Not Vulnerable

AppDynamics has confirmed that the following products are not affected by CVE-2021-44228 and CVE-2021-45046:

  • .NET Agent

  • ABAP Agent (SAP ABAP Monitoring)

  • Analytics Agent

  • Browser Real User Monitoring (BRUM)

  • C/C++ SDK Agent
  • Cluster Agent
  • EUM GeoServer
  • EUM Server

  • Events Service (On-Prem)

  • Go Language SDK Agent

  • IBM Integration Bus Agent (IIB) Agent

  • IoT Device SDKs (C/C++, Java, REST API)
  • Machine Agent Extensions
  • Mobile RUM Agent

  • Network Agent
  • Ruby Agent

  • Synthetic Private Agent (Linux-based)

  • Synthetic Private Agent (Windows-based)

  • Synthetic Server

See “Fixed Releases” below for a list of products which have been patched for CVE-2021-44228 and CVE-2021-45046.

Workarounds

Product-specific mitigations are outlined in the Vulnerable Products section above.

Fixed Software

AppDynamics, a Cisco company, has released software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have a current license and have a valid support and maintenance agreement. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of their license agreement with AppDynamics. Security software updates do not entitle customers to a new software license or additional software feature sets.

Customers who have a current license and have a valid support and maintenance agreement can download the fixed version of software from their existing AppDynamics delivery server download account.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to open a support ticket in the AppDynamics Support system.

Fixed Releases

CVE-2021-44228 and CVE-2021-45046 have been fixed in the following releases. See the AppDynamics Download Portal at https://download.appdynamics.com.

Customers considering upgrades are encouraged to review our subsequent Security Advisory regarding vulnerabilities in Log4j 2.16 and 2.17: Security Advisory: CVE-2021-45105 in Apache Log4j
  • Apache Web Server Agent 21.12.1
  • Database Agent 21.12.1 
  • Enterprise Console 21.4.10
  • Java Agent JDK 8+ 21.11.2
  • Java Agent Legacy - IBM JVM 21.11.2
  • Java Agent Legacy - Sun and JRockit 21.11.2
  • Machine Agent for Windows 21.12.2
  • Machine Agent for all other Operating Systems 21.12.1
  • PHP Agent 21.12.1 
  • Python Agent 21.12.1 
  • ServiceNow Utility (AppDynamics CMDB Integration) 21.12.1

Customers who are unable to upgrade to a fixed release should implement any mitigation steps outlined above in the Vulnerable Products section.

Exploitation and Public Announcements

AppDynamics is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

Source

CVE-2021-44228: This vulnerability was publicly disclosed by the Apache Log4j Security Vulnerabilities announcement on December 9, 2021.

CVE-2021-45046: This vulnerability was publicly disclosed by the Apache Log4j Security Vulnerabilities announcement on December 14, 2021.

URL

https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability

Revision History

VersionDescriptionSectionStatusDate
1.0Initial public release.Interim

2021-DEC-10 14:00 PST

1.1Added more product information.Affected ProductsInterim2021-DEC-10 17:00 PST
1.2Added more product information.Affected ProductsInterim2021-DEC-10 20:00 PST
1.3Added more product information.Affected ProductsInterim2021-DEC-11 01:00 PST
1.4Additional product information and corrected spelling of formatMsgNoLookups settingAffected ProductsInterim2021-DEC-11 15:00 PST
1.5Additional product info. Sorted products alphabetically.Affected ProductsInterim2021-DEC-11 22:00 PST
1.6Additional product info.Affected ProductsInterim2021-DEC-12 18:00 PST
1.7Clarified product versions. Added steps for onprem controller java agent upgradeAffected ProductsInterim2021-DEC-13 01:00 PST
1.8Adjusted Java Agent section to better clarify that only the JDK 8+ version is patched All others must be mitigated.Affected ProductsInterim2021-DEC-13 08:00 PST
1.9Added additional system parameter variableAffected ProductsInterim2021-DEC-13 17:00 PST
1.10Added IoT Device SDKsAffected ProductsInterim2021-DEC-13 19:00 PST
1.11Added info about the SaaS environment. Added Java Agent Legacy clarificationSummary, Affected ProductsInterim2021-DEC-13 22:00 PST
1.12Added Ruby, Go Lang. Expanded product names for clarificationAffected ProductsInterim2021-DEC-14 10:00 PST
1.13Modified node.js instructions. Added info about CVE-2021-45046Summary, Affected ProductsInterim2021-DEC-14 13:30 PST
1.14Updated guidance for Java Agent & Machine AgentAffected ProductsInterim2021-DEC-14 18:00 PST
1.15Updated Apache, Node.js, Python, PHP information, pending upgrade versions.Affected ProductsInterim2021-DEC-14 18:30 PST
1.16Additional product info.Affected ProductsInterim2021-DEC-15 05:00 PST
1.17Updated guidance for Java Agent, Machine Agent, Machine Agent for Windows, Node.js, and Products Confirmed Not VulnerableAffected ProductsInterim2021-DEC-15 10:30 PST
1.18

Clarification for Java Agents running JDK6, Machine Agent Extensions under investigation

Affected ProductsInterim2021-DEC-15 19:30 PST
1.19Clarification on Machine Agent versions, Additional Assistance informationAffected ProductsInterim2021-DEC-16 12:30 PST
1.20Moved ServiceNow Agent to "under investigation"Affected ProductsInterim2021-DEC-16 14:30 PST
1.21Published ServiceNow utility versionAffected ProductsInterim2021-DEC-16 19:30 PST
1.22Added Enterprise Console. Minor clarifying changes.Summary, Affected ProductsInterim2021-DEC-17 14:30 PST
1.23Added CVE-2021-45105.SummaryInterim2021-DEC-18 09:30 PST
1.24Added link to advisory for CVE-2021-45105.SummaryInterim2021-DEC-20 15:30 PST
1.25Clarification on Synthetic Private Agent versionsAffected ProductsInterim2021-DEC-21 02:00 PST
1.26Added note about CVE-2021-44832.SummaryInterim2022-JAN-07 12:00 PST

LEGAL DISCLAIMER

ANY SOFTWARE OR RELEASES, INCLUDING BUT NOT LIMITED TO PATCHES, UPGRADES, AND HOTFIXES, MENTIONED IN THIS SECURITY ADVISORY IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. APPDYNAMICS DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT THERETO, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL APPDYNAMICS, ITS AFFILIATES, OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS, OR SPECIAL DAMAGES, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY TO YOU. 

THE INFORMATION PROVIDED IN THIS SECURITY ADVISORY IS FOR INFORMATIONAL PURPOSES ONLY AND IN NO WAY SHALL BE CONSTRUED AS AN ALTERATION OF APPDYNAMICS’ EXISTING CONTRACTUAL OBLIGATIONS WITH ITS END USERS REGARDING VULNERABILITY MANAGEMENT OR OTHERWISE. END USERS ARE ENCOURAGED TO READ THE REQUIREMENTS SET FORTH HEREIN AND PERFORM THEIR OWN ANALYSIS OF THE APPLICABILITY AND IMPACT OF THE INFORMATION WITH RESPECT TO THEIR SPECIFIC CONFIGURATION AND USE CASE OF THE APPDYNAMICS SOFTWARE.