Summary
On December 9, 2021, the following vulnerability in the Apache Log4j Java logging library affecting all Log4j versions prior to 2.15.0 was disclosed:
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints.
On December 14, 2021, Apache released an additional vulnerability affecting all Log4j versions prior to 2.16.0:
- CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete and could result in certain non-default configurations of Log4j to still be exposed to exploitation potentially resulting in a Denial of Service condition, While this second vulnerability is of lower severity, the visibility that this investigation has gathered and the proliferation of exploitation tools are such that we are including it in this advisory and will be providing guidance for this vulnerability as well.
Affected Products
Vulnerable Products
Apache Agent
Apache Agents prior to 21.12.0 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.
Apache Agents prior to 21.12.1 are at risk from the CVE-2021-45046 vulnerability.
AppDynamics recommends that customers upgrade to Apache Agent 21.12.1.
No mitigation has been tested for this product at this time.
Controller (On Premises)
Customers running an on-premise controller will need to upgrade the included java agent to Java Agent JDK8+ 21.11.2 or use the mitigation steps documented for the Java Agent below.
Please see https://docs.appdynamics.com/21.4/en/application-monitoring/install-app-server-agents/java-agent/administer-the-java-agent/upgrade-the-java-agent#UpgradetheJavaAgent-UpgradetheJavaAgent for details on the steps for that upgrade. The included Java Agent is installed in:
Database Agent
Database Agents prior to 21.12.0 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities
Database Agents prior to 21.12.1 are at risk from the CVE-2021-45046 vulnerability
Java Agent
Java Agent JDK 8+
Versions prior to 21.11.1, vulnerable to CVE-2021-44228 and CVE-2021-45046
Versions prior to 21.11.2, vulnerable to CVE-2021-45046
(*Please Note: Java Agent JDK8+ does not support JDK6 or JDK7)
Java Agent Legacy - Sun and JRockit, all versions configured for JDK6, not vulnerable as this configuration uses log4j 1.x
Java Agent Legacy - Sun and JRockit, versions prior to 21.11.2 configured for JDK7 or above, vulnerable to CVE-2021-44228 and CVE-2021-45046
AppDynamics recommends that customers using Java Agent Legacy - Sun and JRockit upgrade to Java Agent Legacy - Sun and JRockit 21.11.2.Java Agent Legacy - IBM JVM, all versions configured for JDK6, not vulnerable as this configuration uses log4j 1.x
Java Agent Legacy - IBM JVM, versions prior to 21.11.2, vulnerable to CVE-2021-44228 and CVE-2021-45046
AppDynamics recommends that customers using Java Agent Legacy - IBM JVM upgrade to Java Agent Legacy - IBM JVM 21.11.2.
MITIGATION - Java Agent JDK 8+, Java Agent Legacy - Sun and JRockit, Java Agent Legacy - IBM JVM
Customers who cannot upgrade to the latest Java Agent versions may mitigate this risk by removing the JndiLookup class from the classpath. The following command should be executed in the <version>/lib/tp directory where the agent is installed:
This change requires a restart of the application.
Machine Agent
Machine Agents prior to 21.12.0 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.
Machine Agents prior to 21.12.1 are at risk from the CVE-2021-45046 vulnerability
AppDynamics recommends that customers running on Windows upgrade to Machine Agent for Windows 21.12.2.
AppDynamics recommends that customers upgrade to Machine Agent 21.12.1 (or higher) for all other Operating Systems.
Customers who are unable to upgrade to Machine Agent 21.12.1 (or higher) can mitigate the risk from this vulnerability by executing the following command in the Machine Agent install directory:This change requires a restart of the Machine Agent.
Node.js Agent
Node.js Agent prior to 21.9 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities only if the Java Proxy is enabled. (The Java Proxy is off by default in Node.js Agent 4.5.16 and later.)
Customers running Node.js with the proxy enabled can mitigate this vulnerability by making one of the following two changes:
Option 1: Disable the Java Proxy:
-Node.js versions 4.5.16 and later: Remove “proxy:true” from the agent configuration (this is the default configuration)
-Node.js versions prior to 4.5.16: Set “libagent:true” in the agent configurationOption 2: Removing the JndiLookup class from the classpath. The following command should be executed in the <version>/lib/tp directory where the agent is installed:
This change requires a restart of the application.
PHP Agent
PHP Agents prior to 21.12.0 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.
PHP Agents prior to 21.12.1 are at risk from the CVE-2021-45046 vulnerability
AppDynamics recommends that customers upgrade to PHP Agent 21.12.1.
No mitigation has been tested for this product at this time.
For general information on configuring PHP Agent, see Start the PHP Agent Proxy Manually.
Python Agent
Python Agents prior to 21.12.0 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.
Python Agents prior to 21.12.1 are at risk from the CVE-2021-45046 vulnerability.
AppDynamics recommends that customers upgrade to Python Agent 21.12.1.
No mitigation has been tested for this product at this time.
- ServiceNow utility
- ServiceNow utility prior to 21.12.0 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.
AppDynamics recommends that customers upgrade to ServiceNow utility 21.12.1.
Need Additional Help?
Our CX teams are here to help you if you need additional advice on your remediation steps. Please contact us here by booking a meeting with our team if we can be of any further assistance.
Products Confirmed Not Vulnerable
(to CVE-2021-44228 and CVE-2021-45046)
AppDynamics has confirmed that the following products are not affected by these vulnerabilities:
.NET Agent
ABAP Agent (SAP ABAP Monitoring)
Analytics Agent
Browser Real User Monitoring (BRUM)
- C/C++ SDK Agent
- Cluster Agent
- Controller (On-Prem)**
- Enterprise Console
- EUM GeoServer
EUM Server
Events Service (On-Prem)
Go Language SDK Agent
IBM Integration Bus Agent (IIB) Agent
- IoT Device SDKs (C/C++, Java, REST API)
Mobile RUM Agent
- Network Agent
Ruby Agent
Synthetic Private Agent
Synthetic Server
**Java Agent will require an upgrade - please see “Controller” under Vulnerable Products above.
0 commentaires:
Enregistrer un commentaire