On this page: |
Advisory ID: | appd-sa-log4shell | |
First Published: | 2021 December 10 14:00 PST | |
Last Updated: | 2022 January 7 12:00 PST | |
Version 1.26: | Interim | |
Workarounds: | See Product-Specific Information below. | |
CVSS Score: | Base 10.0 (CVE-2021-44228) Base 9.0 (CVE-2021-45046) |
On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed:
On December 14, 2021, the following critical vulnerability, which affects certain Apache Log4j use cases in versions 2.15.0 and earlier, was disclosed:
On December 17, 2021, Apache disclosed another Log4j vulnerability (CVE-2021-45105) affecting certain versions of Log4j prior to 2.17. On December 27, 2021, Apache disclosed another Log4j vulnerability (CVE-2021-44832) affecting certain versions of Log4j, up to and including 2.17. Updates for these newer vulnerabilities are addressed in Security Advisory: CVE-2021-45105 in Apache Log4j. |
For detailed descriptions of these vulnerabilities, see Apache Log4j Security Vulnerabilities.
This advisory is intended to address products used by AppDynamics' customers on their premises and may require customers to take action. The AppDynamics’ SaaS platform is continually monitored and improved. As part of the response to this vulnerability, we have found vulnerable libraries within our SaaS environment and taken mitigation steps to minimize the risk to customers and their data. We have also increased our regular threat hunting and monitoring to catch and investigate any anomalies and have expanded our protections to reduce any potential attack window (e.g. blocking known bad IP addresses, etc.). Should there be any impact from this vulnerability to our SaaS customers, we will communicate directly with those customers through standard support channels. No further updates regarding SaaS response are expected to be addressed here. |
This advisory is available at the following link: https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability
For questions about other Cisco products, see the Cisco Public Advisory.
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.
AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).
No mitigation has been tested for this product at this time.
See "Enterprise Console / Controller (On-Premises)" below.
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.
AppDynamics recommends customers upgrade to version 21.12.1 (or higher).
The On-Prem Enterprise Console / Controller includes a Java Agent. The Java Agent included in Enterprise Console prior to 21.4.10 was vulnerable to CVE-2021-44228 and CVE-2021-45046.
AppDynamics recommends that customers upgrade to version 21.4.10 (or higher).
Customers who are unable to upgrade can mitigate the risk of these vulnerabilities in two ways:
<controller-directory>/appserver/glassfish/domains/domain1/appagent
Versions prior to 21.11.1 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.11.2 are vulnerable to CVE-2021-45046.
AppDynamics recommends that customers using Java Agent JDK 8+ upgrade to Java Agent JDK 8+ 21.11.2 (or higher).
(Please Note: Java Agent JDK8+ does not support JDK6 or JDK7)
All versions configured for JDK6 are not vulnerable as this configuration uses Log4j 1.x.
Versions prior to 21.11.2 configured for JDK7 or above are vulnerable to CVE-2021-44228 and CVE-2021-45046.
AppDynamics recommends that customers using Java Agent Legacy - Sun and JRockit upgrade to Java Agent Legacy - Sun and JRockit 21.11.2.
All versions configured for JDK6 are not vulnerable as this configuration uses Log4j 1.x.
Versions prior to 21.11.2 configured for JDK7 or above are vulnerable to CVE-2021-44228 and CVE-2021-45046.
AppDynamics recommends that customers using Java Agent Legacy - IBM JVM upgrade to Java Agent Legacy - IBM JVM 21.11.2 (or higher).
Applies to Java Agent JDK 8+, Java Agent Legacy - Sun and JRockit, and Java Agent Legacy - IBM JVM
Customers who cannot upgrade to a fixed release of Java Agent may mitigate this risk by removing the JndiLookup class. The following command should be executed in the <version>/lib/tp directory where the agent is installed:
zip -dq log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class |
This change requires a restart of the application.
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.
AppDynamics recommends that customers running on Windows upgrade to version 21.12.2 (or higher).
AppDynamics recommends that customers upgrade to version 21.12.1 (or higher) for all other operating systems.
Customers who are unable to upgrade can mitigate the risk from this vulnerability by executing the following command in the Machine Agent install directory:
zip -dq lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class |
This change requires a restart of the Machine Agent.
Versions prior to 21.9 are vulnerable to CVE-2021-44228 and CVE-2021-45046 only if the Java Proxy is enabled. (The Java Proxy is off by default in Node.js Agent 4.5.16 and later).
Customers running Node.js with the proxy enabled can mitigate this vulnerability by making one of the following two changes:
Option A: Disable the Java Proxy:
-Node.js versions 4.5.16 and later: Remove “proxy:true” from the agent configuration (this is the default configuration)
-Node.js versions prior to 4.5.16: Set “libagent:true” in the agent configuration
Option B: Check if the file singularity-log4j.jar
exists in the appdynamics-proxy/proxy/lib/
directory. If it exists, no action required from your end. If it doesn't exist, proceed by removing the JndiLookup
class from the classpath
. The following command should be executed in the <version>/lib/tp
directory where the agent is installed:
zip -dq log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class |
This change requires a restart of the application.
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.
AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).
No mitigation has been tested for this product at this time.
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.
AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).
No mitigation has been tested for this product at this time.
Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.
AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).
Our CX teams are here to help if you need additional advice on your remediation steps. Please contact us here by booking a meeting with our team if we can be of any assistance.
AppDynamics has confirmed that the following products are not affected by CVE-2021-44228 and CVE-2021-45046:
.NET Agent
ABAP Agent (SAP ABAP Monitoring)
Analytics Agent
Browser Real User Monitoring (BRUM)
EUM Server
Events Service (On-Prem)
Go Language SDK Agent
IBM Integration Bus Agent (IIB) Agent
Mobile RUM Agent
Ruby Agent
Synthetic Private Agent (Linux-based)
Synthetic Private Agent (Windows-based)
Synthetic Server
See “Fixed Releases” below for a list of products which have been patched for CVE-2021-44228 and CVE-2021-45046.
Product-specific mitigations are outlined in the Vulnerable Products section above.
AppDynamics, a Cisco company, has released software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have a current license and have a valid support and maintenance agreement. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of their license agreement with AppDynamics. Security software updates do not entitle customers to a new software license or additional software feature sets.
Customers who have a current license and have a valid support and maintenance agreement can download the fixed version of software from their existing AppDynamics delivery server download account.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to open a support ticket in the AppDynamics Support system.
CVE-2021-44228 and CVE-2021-45046 have been fixed in the following releases. See the AppDynamics Download Portal at https://download.appdynamics.com.
Customers considering upgrades are encouraged to review our subsequent Security Advisory regarding vulnerabilities in Log4j 2.16 and 2.17: Security Advisory: CVE-2021-45105 in Apache Log4j |
Customers who are unable to upgrade to a fixed release should implement any mitigation steps outlined above in the Vulnerable Products section.
AppDynamics is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
CVE-2021-44228: This vulnerability was publicly disclosed by the Apache Log4j Security Vulnerabilities announcement on December 9, 2021.
CVE-2021-45046: This vulnerability was publicly disclosed by the Apache Log4j Security Vulnerabilities announcement on December 14, 2021.
https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.0 | Initial public release. | — | Interim | 2021-DEC-10 14:00 PST |
1.1 | Added more product information. | Affected Products | Interim | 2021-DEC-10 17:00 PST |
1.2 | Added more product information. | Affected Products | Interim | 2021-DEC-10 20:00 PST |
1.3 | Added more product information. | Affected Products | Interim | 2021-DEC-11 01:00 PST |
1.4 | Additional product information and corrected spelling of formatMsgNoLookups setting | Affected Products | Interim | 2021-DEC-11 15:00 PST |
1.5 | Additional product info. Sorted products alphabetically. | Affected Products | Interim | 2021-DEC-11 22:00 PST |
1.6 | Additional product info. | Affected Products | Interim | 2021-DEC-12 18:00 PST |
1.7 | Clarified product versions. Added steps for onprem controller java agent upgrade | Affected Products | Interim | 2021-DEC-13 01:00 PST |
1.8 | Adjusted Java Agent section to better clarify that only the JDK 8+ version is patched All others must be mitigated. | Affected Products | Interim | 2021-DEC-13 08:00 PST |
1.9 | Added additional system parameter variable | Affected Products | Interim | 2021-DEC-13 17:00 PST |
1.10 | Added IoT Device SDKs | Affected Products | Interim | 2021-DEC-13 19:00 PST |
1.11 | Added info about the SaaS environment. Added Java Agent Legacy clarification | Summary, Affected Products | Interim | 2021-DEC-13 22:00 PST |
1.12 | Added Ruby, Go Lang. Expanded product names for clarification | Affected Products | Interim | 2021-DEC-14 10:00 PST |
1.13 | Modified node.js instructions. Added info about CVE-2021-45046 | Summary, Affected Products | Interim | 2021-DEC-14 13:30 PST |
1.14 | Updated guidance for Java Agent & Machine Agent | Affected Products | Interim | 2021-DEC-14 18:00 PST |
1.15 | Updated Apache, Node.js, Python, PHP information, pending upgrade versions. | Affected Products | Interim | 2021-DEC-14 18:30 PST |
1.16 | Additional product info. | Affected Products | Interim | 2021-DEC-15 05:00 PST |
1.17 | Updated guidance for Java Agent, Machine Agent, Machine Agent for Windows, Node.js, and Products Confirmed Not Vulnerable | Affected Products | Interim | 2021-DEC-15 10:30 PST |
1.18 | Clarification for Java Agents running JDK6, Machine Agent Extensions under investigation | Affected Products | Interim | 2021-DEC-15 19:30 PST |
1.19 | Clarification on Machine Agent versions, Additional Assistance information | Affected Products | Interim | 2021-DEC-16 12:30 PST |
1.20 | Moved ServiceNow Agent to "under investigation" | Affected Products | Interim | 2021-DEC-16 14:30 PST |
1.21 | Published ServiceNow utility version | Affected Products | Interim | 2021-DEC-16 19:30 PST |
1.22 | Added Enterprise Console. Minor clarifying changes. | Summary, Affected Products | Interim | 2021-DEC-17 14:30 PST |
1.23 | Added CVE-2021-45105. | Summary | Interim | 2021-DEC-18 09:30 PST |
1.24 | Added link to advisory for CVE-2021-45105. | Summary | Interim | 2021-DEC-20 15:30 PST |
1.25 | Clarification on Synthetic Private Agent versions | Affected Products | Interim | 2021-DEC-21 02:00 PST |
1.26 | Added note about CVE-2021-44832. | Summary | Interim | 2022-JAN-07 12:00 PST |
ANY SOFTWARE OR RELEASES, INCLUDING BUT NOT LIMITED TO PATCHES, UPGRADES, AND HOTFIXES, MENTIONED IN THIS SECURITY ADVISORY IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. APPDYNAMICS DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT THERETO, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL APPDYNAMICS, ITS AFFILIATES, OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS, OR SPECIAL DAMAGES, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY TO YOU. THE INFORMATION PROVIDED IN THIS SECURITY ADVISORY IS FOR INFORMATIONAL PURPOSES ONLY AND IN NO WAY SHALL BE CONSTRUED AS AN ALTERATION OF APPDYNAMICS’ EXISTING CONTRACTUAL OBLIGATIONS WITH ITS END USERS REGARDING VULNERABILITY MANAGEMENT OR OTHERWISE. END USERS ARE ENCOURAGED TO READ THE REQUIREMENTS SET FORTH HEREIN AND PERFORM THEIR OWN ANALYSIS OF THE APPLICABILITY AND IMPACT OF THE INFORMATION WITH RESPECT TO THEIR SPECIFIC CONFIGURATION AND USE CASE OF THE APPDYNAMICS SOFTWARE. |