Apache has disclosed two important vulnerabilities, CVE-2021-45105 and CVE-2021-44832, affecting Log4j 2.x versions prior to 2.17.0 and 2.17.1, respectively. These vulnerabilities pose significant challenges for detection due to the widespread use of Log4j jars across various applications.
Identifying the presence of a vulnerable Log4j version in an application often raises concerns. Simply detecting the vulnerable jar does not confirm that the application is affected, as this depends on specific implementation details and vendor confirmation. Many third-party vendors have stated that their products are not impacted, despite including vulnerable Log4j versions.
Flagging vulnerabilities solely based on the jar version may result in false positives (FPs). This lack of confirmation from product vendors makes it difficult to accurately determine exposure. Consequently, as there is insufficient information to reliably include these vulnerabilities without generating false positives, coverage for CVE-2021-45105 and CVE-2021-44832 was not included.
For accurate detection and risk assessment, organisations are encouraged to rely on vendor-specific guidance or consult application documentation to verify vulnerability status.
We found a few vendors claiming their software that uses the Log4j jars is not vulnerable to these CVEs. Here are a few:
https://kcm.trellix.com/corporate/index?page=content&id=KB95408&locale=en_US
"The file log4j-1.2.17.jar isn’t considered vulnerable for DXL."https://www.veritas.com/support/en_US/article.100052058
"Log4j 2.x - NetBackup NOT Impacted."https://community.cyberark.com/s/article/Critical-Vulnerability-CVE-2021-44228
Many products listed in the table claim 'Not Affected.'https://www.ibm.com/topics/log4j
"Companies can't always tell right away if they're vulnerable. Log4J is often present in networks as an indirect dependency, meaning the company's assets might not use Log4J, but they rely on other apps and services that do."https://help.salesforce.com/s/articleView?id=001534727&type=1
"Based on currently available information, we have determined that Tableau products are not affected by CVE-2021-45105."https://help.salesforce.com/s/articleView?id=001534726&type=1
"Based on currently available information, we have determined that Tableau products are not affected by CVE-2021-44832."https://community.bmc.com/s/article/Are-Control-M-Distributed-products-impacted-CVE-2021-44832
"BMC has analysed CVE-2021-44832 and concluded that Control-M Distributed products are not affected since the vulnerable configuration is disabled by default within Control-M."https://security.netapp.com/advisory/ntap-20220104-0001/
"Affected Products - None."https://security.netapp.com/advisory/ntap-20211218-0001/
Huge number of products added under 'Products Not Affected' section.https://portal.microfocus.com/s/article/KM000003212?language=en_US
Various products are added under 'Non-impacted Products (CVE-2021-45105)' and 'Non-impacted Products (CVE-2021-44832).'https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-cve-2021-45046-and-cve-2021-45105-1103069406.html
"No, Atlassian customers are not vulnerable, and no action is required."https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2021-44228-amp-CVE-2021-45105-Log4j-Vulnerability-Impact-on/ta-p/217384
"FNP is not vulnerable to Log4j vulnerability. It is just used in the example."
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article