Updated December 22, 2021
- On December 9, 2021, a critical vulnerability (CVE-2021-44228) in the Apache Log4j Java logging library affecting all Log4j 2 versions earlier than 2.15.0 was disclosed.
- On December 14, 2021, another critical vulnerability (CVE-2021-45046) in the same library was disclosed. It affects certain Log4j use cases in versions 2.15.0 and earlier.
- On December 17, 2021, a third, high-severity vulnerability (CVE-2021-45105) in the same library was disclosed. It affects certain Log4j versions earlier than 2.17.
For additional information regarding these and any new vulnerabilities, see our security advisory.
As the team at AppDynamics — along with the industry at large — continues to gain a deeper understanding of the impact of these threats, we’ll provide updates here to help you detect and mitigate the risk of an attack. In addition, we’ll supply guidance on how to use AppDynamics application security solutions to help protect against related exploits in production without impacting performance or the end user experience.
Log4j CVE-2021-44228 at a glance
Log4j vulnerability CVE-2021-44228 — aka Log4Shell or LogJam — affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1. (Log4j 2 is a Java-based logging library that’s included in various open-source libraries, widely used in business system development and directly embedded in many major software applications.)
Proof-of-concept code has demonstrated that an attacker could exploit a remote code execution (RCE) vulnerability by inserting a specially crafted string that’s logged by Log4j. They would then be able to execute arbitrary code from an external source.
What AppDynamics products are affected? And what steps should I take?
Our security teams are currently evaluating all our products for vulnerabilities and taking expedited action as required.
Information regarding affected AppDynamics products and recommended steps for mitigation and remediation on your end are available in our security advisory. We’re updating that page regularly as new details become available.
How can I protect my applications?
We recommend that you take the following steps immediately to secure your production environment:
- Investigate and determine where risk exists.
- Review sources of data and begin building a software bill of materials (SBOM) for your products.
- Search your source code repository, build pipeline logs and runtime file system to locate the existence of the Log4j library, and identify what libraries your code is actually using at runtime. (AppDynamics with Cisco Secure Application can help you discover Log4j in your runtime environment.)
- Monitor security advisories from your product vendors and service providers to understand if they have been affected.
Detect vulnerabilities with Secure Application. (Click/tap the image to enlarge it.)
- Update Log4j to the latest recommended version to completely remediate any vulnerabilities. For more information, see the CVE-2021-44228 CVE and the Apache Log4j Security Vulnerabilities page.
If you’re unable to update Log4j, mitigation options exist:
- Previously recommended measures from the Apache Software Foundation (ASF) for CVE-2021-44228 outlined disabling JNDI lookups, but that will not mitigate CVE-2021-45046. In order to address both vulnerabilities, the only option is to delete the class file. Further details are available on the Apache Log4j Security Vulnerabilities page.
- Solutions such as Secure Application detect and block attempted exploits of the Log4j vulnerabilities so that you can take the necessary time to plan and push fully vetted fixes to production rather than acting reactively. Learn more in our Community post.
Block attempted exploits of the Log4j vulnerabilities with Secure Application. (Click/tap the image to enlarge it.)