まず、Log4jのヤバさを会話形式で易しくまとめた記事(↓)
「Log4j」のトラブルってどうヤバいの? 非エンジニアにも分かるように副編集長に解説させた (12/16)
https://www.itmedia.co.jp/news/articles/2112/16/news128.html
piyokangoさんの硬派な まとめ(↓)
Log4jの深刻な脆弱性CVE-2021-44228についてまとめてみた (12/13)
https://piyolog.hatenadiary.jp/entry/2021/12/13/045541
『.. 既にサポートが終了している1.xバージョンも脆弱性の影響を受けることが検証で確認されている*3が予め構成を変更している必要があり、2.xと比較して相当にリスクは低い..』
だそうだ。さらに幾つか興味本位でピックアップ(↓)
・Red Hat
https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
『The following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.
・Red Hat Enterprise Linux
・Red Hat Advanced Cluster Management for Kubernetes
(注、その他 多数)
』
な一方で
『Technical summary
A flaw was found in the Java logging library Apache Log4j in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters can execute arbitrary code on the server via the JNDI LDAP endpoint. Refer to CVE-2021-44228 for more details.
Mitigation
For Log4j versions 2.10 and later:
- set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true
For Log4j versions between 2.7 and 2.14.1:
- all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m
For Log4j versions between 2.0-beta9 and 2.10.0:
- remove the JndiLookup class from the classpath. For example:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
On OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421
On OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441
』
とも。
・Oracle
Oracle Security Alert Advisory - CVE-2021-44228
・VMware
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
VMware Horizon, vCenter Server, HCX, NSX-T Data Center, vCenter Cloud Gateway .. その他多数
・IBM
https://www.ibm.com/support/pages/node/6525706
Affected Products and Versions
WebSphere Application Server 9.0
WebSphere Application Server 8.5
元IBM製品に、こんなのもあったな(↓)
・HCL Technologies
Log4J 2 / Log4Shell の脆弱性に関するNotes、Domino、Verse、Traveler への影響 (CVE-2021-44228、CVE-2021-45046、CVE-2021-45105、CVE-2021-44832)
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095594
・Fortinet
https://www.fortiguard.com/psirt/FG-IR-21-245
Tuesday December 15, 8:50 PM Pacific Time現在、下記状況
『The following products are NOT impacted:
.. FortiOS (includes FortiGate & FortiWiFi) ..
The following products are impacted and fixes are being worked on. This advisory will be updated as soon as ETAa are available:
FortiAIOps - Fixed in version 1.0.2
FortiAnalyzer BigData - Fixed on 2021-12-10 in 6.4.7 & 7.0.2
FortiCASB - Fixed on 2021-12-10
FortiConverter Portal - Fixed on 2021-12-10
FortiCWP - Fixed on 2021-12-10
FortiEDR Cloud - Not exploitable. Additional precautionary mitigations put in place on 2021-12-10
FortiInsight - Not exploitable. Additional precautionary mitigations being investigated.
FortiIsolator - Fix scheduled for version 2.3.4
FortiMonitor - Mitigations for NCM & Elastiflow available
FortiPortal - Fixed in 6.0.8 and 5.3.8
FortiSIEM - Mitigation available
ShieldX - Fix scheduled for versions 2.1 and 3.0 - ETA 2021/12/17
』
・AMD
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1034
『Currently, no AMD products have been identified as affected.』
・Intel
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
Datacenter Manager, Secure Device Onboard, Computer Vision Annotation Tool, Optimized Analytics Package, Intel QAT Codec, Edge Insights for Autonomous Mobile Robots, oneAPI各種
.. Clear Linux Project」なんてのもあるんですね。
.. 他にも多数。意識せず使ってたって事もあるかも。ご自分で確認されたし。
・NVIDIA
https://nvidia.custhelp.com/app/answers/detail/a_id/5294
01/04現在で、
『Remediated NVIDIA Products
The following sections list the NVIDIA products affected, versions affected, and the updated versions available or mitigations that require customer action.
CUDA Toolkit Visual Profiler and Nsight Eclipse Edition
DGX Systems
NetQ
vGPU Software License Server
』
・Palo Alto Networks
https://security.paloaltonetworks.com/CVE-2021-44228
『We have determined that some configurations of Panorama appliances with PAN-OS 9.0, PAN-OS 9.1, and PAN-OS 10.0 are impacted by CVE-2021-44228 and CVE-2021-45046 through the use of Elasticsearch. Fixes were released on December 20, 2021 to address both vulnerabilities on impacted PAN-OS versions. Panorama appliances are not impacted by CVE-2021-45105.
PAN-OS for Panorama < 9.0.15, < 10.0.8-h8, < 9.1.12-h3 .. affected
Exact Data Matching CLI < 1.2 .. affected
』