Log4j: Major IT vendors rush out fixes for this flaw and more ahead of Christmas
The holiday season is shaping up to be busy for those patching systems affected by the critical flaw in the Log4j Java application error logging library.
IBM has confirmed several of its major enterprise products are affected by the Log4j bug. On Thursday, the company confirmed that the IBM Db2 Warehouse, which uses Log4j, allowed a remote attacker to execute arbitrary code on the system. Log4j is used in the Db2 Federation feature. IBM has released a special fix pack and mitigation notes for Db2 version 11.5 systems that are vulnerable if certain Federation features are configured.
Since Wednesday, IBM has released Log4j fixes for over a dozen cloud products, spanning security and identity, analytics, databases, managed VMware services, and Watson AI products. It has also released fixes for 20 on-premises IBM products for Cognos business intelligence, Power hardware, WebSphere, Watson, and more.
LOG4J FLAW COVERAGE - WHAT YOU NEED TO KNOW NOW
- Log4j zero-day flaw: What you need to know and how to protect yourself
- Security warning: New zero-day in the Log4j Java library is already being exploited
- Log4j flaw could be a problem for industrial networks 'for years to come'
IBM is continually updating the list of products affected by the flaw and those it has confirmed are not impacted.
Dozens of Cisco products are affected by Log4j, too. On Friday, Cisco will release numerous firmware and hotfix updates that address the flaw, followed by more updates scheduled over the weekend and over the following week through to 24 December.
Products scheduled for updates on Friday include Cisco Identity Services Engine, DNA Spaces Connector, Cisco BroadWorks, and Cisco Finesee. On Saturday, it will release updates for several more products including Cisco Contact Center Domain Manager (CCDM), Cisco IOx Fog Director, Cisco Contact Center Management Portal (CCMP), Cisco Unified Communications Manager / Cisco Unified Communications Manager Session Management Edition, Cisco Video Surveillance Operations Manager, and Cisco Connected Mobile Experiences (CMX).
VMware is also updating its list of affected products, most of which are badged as 'critical' with a CVSS severity score of 10 out of 10, and currently marked as 'patch pending'. Where patches are not available, VMware is updating its recommended mitigations to factor in updates addressed by Apache Foundation's Log4j version 2.16 release, which addressed the incomplete patch it initially released last week.
VMware had over 100 products affected by the bug popularly known as Log4Shell, and tracked as CVE 2021-44228.
But the virtualisation giant has also released a patch to address a critical non-Log4j Server Side Request Forgery (SSRF) vulnerability in its Workspace ONE Unified Endpoint Management (UEM) console.
Tracked as CVE-2021-22054, this flaw would allow an attacker with network access to UEM to "send their requests without authentication and may exploit this issue to gain access to sensitive information", according to VMware's advisory.
LOG4J FLAW COVERAGE - WHAT YOU NEED TO KNOW NOW
- US warns Log4j flaw puts hundreds of millions of devices at risk
- Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability
- Log4j RCE activity began on December 1 as botnets start using vulnerability
The vulnerability got a CVSS score of 9.1 out of 10, and so should be added to the list of priorities for patching before the Christmas break. The bug affects the 2105, 2012, 2011, and 2008 versions of the Workspace ONE UEM console.
The Cybersecurity and Infrastructure Security Agency and the White House yesterday warned organisations in the US to beware of cyberattacks during the holiday season. Cyber criminals frequently launch major ransomware attacks on public holidays to take advantage of skeleton staffing.
CISA has instructed federal agencies to identify all applications affected by the Log4j flaw by 24 December.
CISA has published a list of vendors and products affected by the Log4Shell flaw. The Netherlands cybersecurity agency is also updating a list of affected products and vendors, which it published earlier this week.