Apache Log4j 2 Vulnerability Notice
CVE-2021-45046
Softcat is aware of a further release of the above CVE in relation to this Apache log4j vulnerability, in which certain non standard configurations can lead to some deployments of log4j (versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0) vulnerable to a denial of service attack. This vulnerability does not carry the same risk as CVE-2021-44228, and has a much lower CVSS score (3.7). Finally, Version 2.16 (the recommended fix for this vulnerability) completely depreciates the vulnerable JNDI functionality. More information on this vulnerability can be found here.
What we know so far
Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications , including custom applications developed within an organisation, as well as numerous cloud services The Log4j 2 library is frequently used in enterprise Java software and is included in Apache frameworks including:
- Apache Struts2
- Apache Solr
- Apache Druid
- Apache Flink
- Apache Swift
Apache Log4j2 on versions 2.14.1 or lower have JNDI features used in configuration, log messages, and parameters that do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
What can customers do about it?
The most important fix available for this vulnerability is to update to version 2.16.0 or later, and where using a third party application ensuring you update products as releases become available.
Statement from Softcat:
Softcat’s Information Security team, with the assistance of our Cyber Services team, have been responding to the Log4J vulnerability since we became aware on the 10th December. This issue has board level visibility and ensuring Softcat remain resilient against this new vulnerability is a priority for us.
Since becoming aware our teams began utilising several overlapping techniques to identify the presence of Log4J in our estate, initially focusing on externally facing resources and continuing to those in our private networks. We have completed an assessment of external facing applications and have not identified any that are vulnerable. Where we have identified software vendors used on our private network (not internet facing) that include Log4J as a component we are utilising a combinations of detective and protective security controls to mitigate the risk while fixes from the vendor are deployed. Not all services utilising a vulnerable version of log4j can be exploited or easily exploited and we have prioritised them accordingly. Because this is a multifaceted effort, there is no single ETA for blanket remediation.
We can confirm our ecommerce platform, eCAT, does not use Log4J.
Customers of Softcat’s own managed service offerings can contact their service delivery manager to get a detailed update for the service/s they are consuming. Software utilised by some customers of Softcat’s Backup as a Service and Manage Print Service offerings is impacted and fixes have been released by the vendor to address this vulnerability. Customer contacts for these services have been notified by our service delivery team who are able to assist customers with any additional questions.
We have observed no indications that any systems or data has been compromised, and remain vigilant to any events related to log4j exploits.
Updates from our vendors
We want to ensure our customers are protected and kept in the loop with the latest updates from our Vendors.
Softcat has been monitoring the vendor ecosystem since the release of this vulnerability on 10th December 2021, and is reguarly updating the below tables. Vendors are grouped into one of four categories, and where possible references are provided:
| Classification | Definition |
| Confirmed | At least one product is vulnerable. |
| Under Investigation | Vendor is currently reviewing their posture. |
| Not Affected | Vendor has stated no products are vulnerable. |
| Awaiting Communication | No release from Vendor was found. |
The current list of vendors is as follows:
| Vendor | Is affected? | Reference available |
|---|---|---|
| Adobe | Confirmed | Read Here |
| Akamai | Confirmed | Read Here |
| AlienVault/AT&T | Not Affected | Softcat Confirmed Directly with AlienVault |
| Amazon Web Services | Confirmed | Read Here |
| APC | Awaiting Communication | |
| Apple | Confirmed | Icloud Vulnerable, No Reference Available |
| Arcserve | Not Affected | Confirmed Directly with Arcserve, No Reference Available |
| Arista | Confirmed | Read Here |
| Attivo | Awaiting Communication | |
| Avaya | Confirmed | Read Here |
| Barracuda | Not Affected | Read Here |
| Beyond Trust | Awaiting Communication | |
| BitDefender | Under Investigation | Read Here |
| Blackberry | Awaiting Communication | |
| BMC Software | Confirmed | Read Here |
| Carbon Black | Confirmed | Read Here |
| Cato Networks | Not Affected | Read Here |
| Check Point | Not Affected | Read Here |
| Cisco Systems | Confirmed | Read Here |
| Citrix Systems | Under Investigation | Read Here |
| Cloudhealth | Under Investigation | Read Here |
| Cohesity | Not Affected | Read Here |
| CommVault | Confirmed | Read Here |
| Corero | Awaiting Communication | |
| Crowdstrike | Not Affected | Read Here |
| CyberArk | Confirmed | Read Here |
| CyberReason | Not Affected | Read Here |
| Cylance | Awaiting Communication | |
| Datto | Not Affected | Read Here |
| Dell | Confirmed | Read Here |
| Docusign | Not Affected | Read Here |
| Druva | Under Investigation | Read Here |
| DuoSecurity | Confirmed | Read Here |
| Edgenexus | Not Affected | Softcat Confirmed Directly with Edgenexus |
| Egress | Confirmed | Read Here |
| Elastic | Confirmed | Read Here |
| F5 Networks | Under Investigation | Read Here |
| Forcepoint | Confirmed | Read Here |
| Forescout | Confirmed | Read Here |
| Fortinet | Confirmed | Read Here |
| F-Secure | Confirmed | Read Here |
| Gemalto | Awaiting Communication | |
| GN | Awaiting Communication | |
| Confirmed | Read Here | |
| GrayLog | Confirmed | Read Here |
| Hewlett Packard Enterprise |
Confirmed |
Read Here |
| HP Inc | Awaiting Communication | |
| Huawei | Confirmed | Read Here |
| iManage (Zendesk) | Confirmed | Read Here |
| IBM | Confirmed | Read Here |
| IBM Licence Metric Tool | Confirmed | Read Here |
| Imperva | Not Affected | Read Here |
| Indeni | Not Affected | Softcat Confirmed Directly with Indeni |
| Informatica | Confirmed | Read Here |
| Infortrend | Awaiting Communication | |
| Ivanti | Confirmed | Read Here |
| Jamf | Confirmed | Read Here |
| Jenkins | Under Investigation | Read Here |
| Jira | Confirmed | Read Here |
| Kaspersky | Not Affected | Read Here |
| Kemp | Not Affected | Read Here |
| Knowbe4 | Awaiting Communication | |
| LastPass | Confirmed | Read Here |
| Lenovo | Confirmed | Read Here |
| LogRhythm | Confirmed | Read Here |
| ManagedEngine | Confirmed | Read Here |
| McAfee | Under Investigation | Read Here |
| Microfocus | Confirmed | Read Here |
| Microsoft | Under Investigation | Read Here |
| Mimecast | Not Affected | Read Here |
| N-able | Not Affected | Read Here |
| NetApp | Confirmed | Read Here |
| Netmotion | Awaiting Communication | |
| Netwrix | Confirmed | Read Here |
| New Relic | Confirmed | Read Here |
| Nutanix | Confirmed | Read Here |
| Okta | Confirmed | Read Here |
| One Login | Awaiting Communication | |
| OneIdentity | Under Investigation | Read Here |
| Opswat | Awaiting Communication | |
| Oracle | Confirmed | Read Here |
| Origin Storage Solutions | Awaiting Communication | |
| Palo Alto | Not Affected | Read Here |
| Patch My PC | Awaiting Communication | |
| PingIdentity | Under Investigation | Read Here |
| Poly | Awaiting Communication | |
| Proofpoint | Confirmed | Read Here |
| Pulse Secure | Not Affected | Read Here |
| Puppet | Confirmed | Read Here |
| Pure Storage | Confirmed | Read Here |
| Qlik | Confirmed | Read Here |
| Qualys | Confirmed | Read Here |
| Quest | Confirmed | Read Here |
| Rapid7 | Under Investigation | Read Here |
| Red Hat | Confirmed | Read Here |
| Riverbed | Confirmed | Read Here |
| RSA | Confirmed | Read Here |
| Rubrik | Confirmed | Read Here |
| SailPoint | Under Investigation | Read Here |
| Salesforce | Under Investigation | Read Here |
| Samsung | Awaiting Communication | |
| SAP | Confirmed | Read Here |
| Science Logic | Not Affected | Read Here |
| SecurEnvoy | Awaiting Communication | |
| SentinelOne | Not Affected | Read Here |
| ServiceNow | Under Investigation | Read Here |
| Siemens | Confirmed | Read Here |
| Skybox | Confirmed | Read Here |
| Snow Software | Confirmed | Read Here |
| Solarwinds | Confirmed | Read Here |
| SonicWALL | Confirmed | Read Here |
| Sophos | Confirmed | Read Here |
| SpanningCloud Apps | Awaiting Communication | |
| Splunk | Confirmed | Read Here |
| STEALTHbits | Awaiting Communication | |
| Swimlane | Not Affected | Softcat Confirmed Directly with Swimlane |
| Symantec | Confirmed | Read Here |
| SysAid | Confirmed | Read Here |
| Tableau | Confirmed | Read Here |
| Tanium | Not Affected | Read Here |
| TeamViewer | Confirmed | Read Here |
| Tenable Network Security | Under Investigation | Softcat Confirmed Directly with Tenable |
| Thales | Confirmed | Read Here |
| ThousandEye | Confirmed | Read Here |
| Trend Micro | Under Investigation | Read Here |
| Tripwire | Confirmed | Read Here |
| Trustwave | Not Affected | Read Here |
| Tufin Software | Awaiting Communication | |
| Ubiquiti | Confirmed | Read Here |
| Varonis | Under Investigation | Read Here |
| Veeam | Not Affected | Read Here |
| Veritas | Confirmed | Read Here |
| VMware | Confirmed | Read Here |
| WatchGuard | Not Affected | Read Here |
| Yealink | Awaiting Communication | |
| Zebra Technologies | Confirmed | Read Here |
| Zoom | Awaiting Communication | |
| Zscaler | Not Affected | Read Here |