Tech Solvency - The Story So Far

Log4Shell log4j vulnerability (CVE-2021-44228 / CVE-2021-45046) - cheat-sheet reference guide

Last updated: $Date: 2022/01/10 20:04:28 $ UTC - best effort, validate all for your environment/model before use, unofficial sources may be wrong

by @TychoTithonus (Royce Williams), standing on the shoulders of many giants
Send updates or suggestions (please include category / context / public (or support-walled) links if you can)


Contents


Key updates


Context - who (and what) is affected

Scope / seriousness

back to top

Summaries

back to top

Technical analysis

back to top


Remediation

Big new joint CISA / Five Eyes mitigation advisory (2021-12-22)

Direct remediation:

Mitigations - easy but partial

Mitigations - official project itself (but always check latest Apache guidance)

Mitigations - harder

Mitigations - ecosystem

back to top


Affected (and unaffected) products

See other product and tool lists if your product is not listed here)

Note: this list focuses primarily on customer-controlled components. For fully cloud-based components, top section of the YfryTchsGD repo is pretty good as a starting point.

Disclaimer: caching/summaries is best effort and may be out of date or incorrect - always validate for yourself

Claimed patched (previously vulnerable, now remediated/mitigated or updates available)

Confirmed affected - version differences, workarounds suggested, status pending, or not yet analyzed

Claimed unaffected / not vulnerable (no action taken or required)

Claimed unaffected by default (but configurable to be affected if user opted for log4j or added extensions)

Multi-product - vulnerable, mixed, or not yet fully determined

Potentially affected (circumstantial use of log4j or behind support wall)

Not yet determined, non-commital, or mixed/controversial

Indirect / integration known (can relay/forward/integrate, but no default dependency)

Other rollup lists

back to top


Detection

Finding potentially vulnerable software

Detecting exploitation attempts

Vulnerability scanning and testing

Other defense stacks and guides

back to top

Exploitation

back to top


News and posts

back to top


Return to The Story So Far (list of notable security events)

Follow @techsolvency for security-only updates, or @TychoTithonus (me) for general/personal (and password cracking / hashcat stuff)