cisco-sa-apache-log4j-qRuKNEbd: Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021
First published: Fri Dec 10 2021(Updated: )
Critical Vulnerabilities in Apache Log4j Java Logging Library On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed: On December 14, 2021, the following critical vulnerability, which affects certain Apache Log4j use cases in versions 2.15.0 and earlier, was disclosed: On December 18, 2021, a vulnerability in the Apache Log4j component affecting versions 2.16 and earlier was disclosed: On December 28, 2021, a vulnerability in the Apache Log4j component affecting versions 2.17 and earlier was disclosed: For a description of these vulnerabilities, see the Apache Log4j Security Vulnerabilities page. Cisco's Response to These Vulnerabilities Cisco assessed all products and services for impact from both CVE-2021-44228 and CVE-2021-45046. To help detect exploitation of these vulnerabilities, Cisco has released Snort rules at the following location: Talos Rules 2021-12-21 Product fixes that are listed in this advisory will address both CVE-2021-44228 and CVE-2021-45046 unless otherwise noted. Cisco has reviewed CVE-2021-45105 and CVE-2021-44832 and has determined that no Cisco products or cloud offerings are impacted by these vulnerabilities. Cisco's standard practice is to update integrated third-party software components to later versions as they become available. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
Credit: These vulnerabilities were disclosed by the Apache Software Foundation.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Log4j | <2.15.0<2.15.0<2.16<2.17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the severity of cisco-sa-apache-log4j-qRuKNEbd?
The severity of cisco-sa-apache-log4j-qRuKNEbd is critical due to the exploitability of the vulnerability in Apache Log4j.
How do I fix cisco-sa-apache-log4j-qRuKNEbd?
To fix cisco-sa-apache-log4j-qRuKNEbd, update to Apache Log4j version 2.15.0 or later.
What are the affected versions in cisco-sa-apache-log4j-qRuKNEbd?
Affected versions in cisco-sa-apache-log4j-qRuKNEbd include all Log4j2 versions earlier than 2.15.0.
What impact does cisco-sa-apache-log4j-qRuKNEbd have?
The impact of cisco-sa-apache-log4j-qRuKNEbd can lead to remote code execution if exploited.
Are there any mitigations for cisco-sa-apache-log4j-qRuKNEbd?
Mitigations for cisco-sa-apache-log4j-qRuKNEbd include disabling the JndiLookup class or using firewall rules to block access to vulnerable services.
- agent/last-modified-date
- agent/first-publish-date
- collector/cisco-advisory
- source/Cisco
- agent/type
- agent/event
- agent/author
- agent/title
- agent/severity
- agent/references
- agent/description
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/apache log4j