.net.net 4.net 4.5.net apm.NET Application Performance.NET Applications.NET Best Practise.NET Core.NET Monitoring.NET PerformanceABAPACAADDMADO.NETagent lifecycleagent of transformationAgents of TransformationAgile & DevOpsAgile & DevOpsAgile DevelopmentAgile OperationsAgile OpsAIAI/MLAIOpsalert fatigueAmazon EC2Amazon EKSamazon web servicesanalyst reportAnalyticsandroidAndroid monitoringanomaly detectionanti-patternsAoTAPACapacheAPCApdexapiAPI MonitoringApicaAPMAPM Analyticsapm application performance monitoringAPM Best PracticeAPM Best PracticesAPM Business MetricsAPM IntegrationAPM Marketapm monitoring toolsapm solutionsAPM Thought LeadershipAPM VendorsAPMaaSapp attention indexApp Attention Index 2019App Attention Index 2023app dynamicsApp Manapp ownerappd summitappd summit europeappdynamicsappdynamics apmappdynamics certificationAppDynamics CustomersAppDynamics DevOpsAppDynamics EUMappdynamics flowmapAppDynamics for AzureAppDynamics for DatabasesAppDynamics for MobileAppDynamics Growthappdynamics liteAppDynamics Partnersappdynamics pricingAppDynamics ProAppDynamics REST APIAppDynamics SaaSAppDynamics SAP MonitoringAppDynamics SuccessAppDynamics Universityappdynamics xapplicationapplication developmentApplication DiagnosticsApplication ElasticityApplication IntelligenceApplication Intelligence PlatformApplication Mappingapplication monitoringapplication monitoring for PCFapplication observabilityApplication PerformanceApplication Performance ManagementApplication Performance MonitoringApplication Runbook AutomationApplication ScalabilityApplication SecurityApplication Supportapplication testingAppSecappsec prioritizationappsphereappsphere 2015appsphere 2016artificial intelligenceASMASP.NETASP.NET Monitoringatlassianauto-scalingautomationAvailability MonitoringawardsawsAWS Cloud Connectoraws ec2AWS Elastic Container ServiceAWS LambdaAWS re:InventazureAzure Cosmos DBAzure FunctionsAzure MonitoringBackend MonitoringbankingBehavioral Learningbest apm toolsbetaBig DataBig Data AnalyticsbizdevopsBlack FridayblockchainBrowser AgentBrowser Monitoringbrowser real user monitoringbrowser rumBrowser Synthetic MonitoringBTMbusinessBusiness Activity MonitoringBusiness ImpactBusiness Intelligencebusiness iqbusiness journeybusiness journeysBusiness Metricsbusiness outcomesbusiness risk observabilitybusiness risk scorebusiness risk scoringbusiness transactionbusiness transaction insightsBusiness Transaction ManagementBusiness Transaction Performancebusiness transaction securityBusiness TransactionsBusinessiQC++CACA WilyCareercase studyCassandraCDEMChatGPTCI/CDCICSCIOciscoCisco AppDynamicsCisco AppDynamics OpenAI MonitoringCisco Application Centric InfrastructureCisco Cloud ObservabilityCisco Full-Stack ObservabilityCisco Intersightcisco intersight workload optimizerCisco LiveCisco Live 2022Cisco Live 2023Cisco Live 2023 AmsterdamCisco Live 2023 MelbourneCisco Live EMEACisco Observability PlatformCisco Secure ApplicationCisco ThousandEyesclient side performanceCloudcloud architecturecloud automationCloud BurstingCloud Deploymentcloud foundrycloud foundry foundationCloud MigrationCloud MonitoringCloud NativeCloud Native Computing Foundationcloud native observabilitycloud native securitycloud observabilitycloud orchestrationcloud planningcloud pricingCloud Scalingcloud securitycloudwatchcluster monitoringCMDBCNCFcodingCognition Enginecognitive operationscollaborationCompuwareCompuware Vantageconcurrent collectionsconferencecontainerscontinuous integrationcovid-19CPU Burncrash courseculturecustom dashboardscustomer DEMcustomer experienceCustomer LoyaltyCustomer SuccessCyber MondayDashboarddashboardsData Clouddata privacydata securitydatabasedatabase monitoringdatabase performanceDatabase Performance Monitoringdb2Deep DiagnosticsDEMDeploying APMdeveloperdevelopersDevelopmentdevelopment lifecycleDevOpsDevOps AppDynamicsDevOps Best PracticesDevOps Culturedevops lifecycledevopsdaysDevSecOpsdigital experienceDigital experience monitoringdigital transformationdigital trustDisaster RecoverydiscoverydockerDockerfiledowntimedowntime costdynamic baselinesDynatracee-commerceEase-of-UseecommerceeCommerce MonitoringECSedge computingeducationEKSelasticsearchEnd User ExperienceEnd User Experience MonitoringEnd User MonitoringEnterpriseEnterprise APMEnterprise deploymenterrorsETLEUEUEMEUMEuropean UnionEvaluating APMEventeventsexperience economyextensionsfasterfederal customersFedRAMPfinancefinancial servicesflame graphsFlutter Agentfog of developmentforresterForrester APMfull application stackfull-stack observabilityGartnerGartner APMGartner APM Magic QuadrantGartner Magic QuadrantGartner MQGDPRGeneral Data Protection Regulationghostglassdoorgogo langGomezGoogle Cloud FunctionsGovAPMgovernmentGrafanagrafana pluginguided tourHadoophealthcareHealthCare.govhhvmHigh AvailabilityHIPPAhistory of programminghybrid cloudhybrid cloud observabilityhybrid workIaaSIBMIBM DataPowerIBM Think 2019idcIISIIS Monitoringindustry insightsinfographicinfrastructureinfrastructure monitoringinfrastructure optimizationinfrastructure pricinginfrastructure visibilityInsuranceintegrationIntegration Partner Programinternet of thingsInternshipInvestment BankingiosiOS monitoringIOTiPhone CrashIRAPIstioITIT operationsITILITSMJavajava 9java apmJava CPUJava Memory LeakJava Monitoringjava programming languagejavascriptJConsoleJMXJVMJVM MonitoringK8sKNativeKPIKubeCon + CloudNative ConkubernetesKubernetes MonitoringLas VegaslegacyLoad RunnerLoad Testinglog analysislog analyticsLog Fileslog4jlogginglogsmachine learningmainframeManaged Service ProvidersmanagementmappingmariadbMaturitymemory leaksMesosmetric datametricsmicoservicesmicroservice patternsmicroservicesmicroservices iqMicrosoftmicrosoft azuremigrationMLmobileMobile APMmobile app metricsMobile Application MonitoringMobile Application Performancemobile applicationsMobile Best Practicesmobile eumMobile Monitoringmobile real-user monitoringMobile RUMMongoDBMonitoringMonitoring AgentsMRUMMSPMTTRMulti Cloudmulti tenancy cloudmulticloudmultitenancyMVC 4mysqlNetflixNetwork MonitoringNetwork Performance Managementnetwork visibilityNew RelicnewsnginxNodenode.jsnode.js apmnode.js monitoringnodetimeNoSQLNPMobamacareObamacare websiteobservabilityomni-channelon-premon-prem vs cloudon-premisesonline shoppingOPCacheopcodeOpenAIOpenAI APIopenshiftopenshift by red hatopenshift by redhatOpenTelemetryoperational analyticsOperationsoperatorsOpNetopsOpTierOraclePaaSpartnerpartner programpartnersPCFpercentilesPerformancePerformance Bottleneckperformance engineeringPerformance Managementperformance metricsPerformance Monitoringperformance testingphpphp 7php apmPHP Best Practicesphp performancephp securityphp upgradePivotalPivotal Cloud Foundryplatform monitoring for PCFpodcastprivate equityproductionProduction Monitoringprofilingprogramming languageprogramming languagesPublic Cloudpublic sectorpythonqaQuest FoglightRBARCAReal User Monitoringreal-time business metricsreal-time business monitoringred hatred hat openshiftresearch reportresponse timeretailriskRoot Cause AnalysisRSARtBMRUMrunbookSaaSSaas APMsaas application performance monitoringsan franciscoSAPSAP monitoringSAP NetWeaverSAP obSAP S/4HANAScalabilitysdkSecure Applicationsecuritysecurity resilienceserverserverlessservice assuranceService Broker Tileservice endpointsservice level agreementServiceNowshardingsingle page applicationsite reliability engineeringSLAslow SQLSmart AgentSmart Agent for Cisco AppDynamicssmart speakersSOASOA monitoringSoftware DevelopmentSpectro Cloud PaletteSplunkspring releaseSpring4ShellSQLSREsupply chainSynthetic Monitoringtaggingtagstechnical debttelemetryTest In ProductionThe Age of Application Observabilitythousandeyestransaction analyticsTransaction ProfilingTroubleshooting ApplicationstuningTypeScriptUCCEUCCE monitoringunified monitoringunified observability experienceUser Experienceuser session trackingVirtual War RoomVisualVMWar RoomwearableswebinarWebPerfWily IntroscopeWindows AzureWindows Azure StoreWNISwomenwomen in techwomen in technologywordpressyarnz/os
News
Product
Security

AppDynamics’ response to our customers regarding the Log4j vulnerability threat

by Wei Li
December 15 2021
 

We know that the threat posed by the Log4j vulnerabilities is top of mind — and we're here to help. Read on for Log4j vulnerabilities explained and AppDynamic updates.

Conceptual image of padlock on a circuit board representing full-stack application security

Updated December 22, 2021

  • On December 9, 2021, a critical vulnerability (CVE-2021-44228) in the Apache Log4j Java logging library affecting all Log4j 2 versions earlier than 2.15.0 was disclosed.

 

  • On December 14, 2021, another critical vulnerability (CVE-2021-45046) in the same library was disclosed. It affects certain Log4j use cases in versions 2.15.0 and earlier.

 

  • On December 17, 2021, a third, high-severity vulnerability (CVE-2021-45105) in the same library was disclosed. It affects certain Log4j versions earlier than 2.17.

 

For additional information regarding these and any new vulnerabilities, see our security advisory.

As the team at AppDynamics — along with the industry at large — continues to gain a deeper understanding of the impact of these threats, we’ll provide updates here to help you detect and mitigate the risk of an attack. In addition, we’ll supply guidance on how to use AppDynamics application security solutions to help protect against related exploits in production without impacting performance or the end user experience.

Log4j CVE-2021-44228 at a glance

Log4j vulnerability CVE-2021-44228 — aka Log4Shell or LogJam — affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1. (Log4j 2 is a Java-based logging library that’s included in various open-source libraries, widely used in business system development and directly embedded in many major software applications.)

Proof-of-concept code has demonstrated that an attacker could exploit a remote code execution (RCE) vulnerability by inserting a specially crafted string that’s logged by Log4j. They would then be able to execute arbitrary code from an external source.

What AppDynamics products are affected? And what steps should I take?

Our security teams are currently evaluating all our products for vulnerabilities and taking expedited action as required.

Information regarding affected AppDynamics products and recommended steps for mitigation and remediation on your end are available in our security advisory. We’re updating that page regularly as new details become available.

How can I protect my applications?

We recommend that you take the following steps immediately to secure your production environment:

  1. Investigate and determine where risk exists.
    • Review sources of data and begin building a software bill of materials (SBOM) for your products.
    • Search your source code repository, build pipeline logs and runtime file system to locate the existence of the Log4j library, and identify what libraries your code is actually using at runtime. (AppDynamics with Cisco Secure Application can help you discover Log4j in your runtime environment.)
    • Monitor security advisories from your product vendors and service providers to understand if they have been affected.

 

Detect vulnerabilities with Secure Application. (Click/tap the image to enlarge it.)

  1. Update Log4j to the latest recommended version to completely remediate any vulnerabilities. For more information, see the CVE-2021-44228 CVE and the Apache Log4j Security Vulnerabilities page.

 

If you’re unable to update Log4j, mitigation options exist:

  • Previously recommended measures from the Apache Software Foundation (ASF) for CVE-2021-44228 outlined disabling JNDI lookups, but that will not mitigate CVE-2021-45046. In order to address both vulnerabilities, the only option is to delete the class file. Further details are available on the Apache Log4j Security Vulnerabilities page.
  • Solutions such as Secure Application detect and block attempted exploits of the Log4j vulnerabilities so that you can take the necessary time to plan and push fully vetted fixes to production rather than acting reactively. Learn more in our Community post.

 

Block attempted exploits of the Log4j vulnerabilities with Secure Application. (Click/tap the image to enlarge it.)

Resources

AppDynamics product investigation and software updates

Security advisory: Apache Log4j vulnerability

Security advisory: CVE-2021-45105 in Apache Log4j

AppDynamics Community

How do I use AppDynamics with Cisco Secure Application to find vulnerabilities and block exploits?

Cisco Talos threat intelligence and detection

Threat advisory: Critical Apache Log4j vulnerability being exploited in the wild

Other

Defend Log4j vulnerabilities with Cisco Secure Application (video)

Wei-Li-headshot
Wei Li

Wei Li is a product marketing manager who specializes in application security and network visibility technologies. At AppDynamics, she helps bring leading-edge innovations to our customers, providing them with powerful, end-to-end observability across their networks and hybrid cloud environments. Wei received an MBA from the Haas School of Business at the University of California, Berkeley.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form

By clicking subscribe, I have read and understood the Privacy Policy and Terms of Use.
Platform
Solutions
Learn

Company
Support