The holiday season is shaping up to be busy for those patching systems affected by the critical vulnerability in the Java Log4j logging library.
IBM has confirmed that several of its main enterprise products are affected by the Log4j bug. Earlier this month, the company confirmed that its IBM Db2 Warehouse tool, which uses Log4j, allowed a remote attacker to execute an arbitrary code on the system. Log4j is used in the Db2 Federation function. IBM has released a special fix pack and mitigation measures for Db2 Version 11.5 systems that are vulnerable if certain features are configured.
IBM has released Log4j fixes for more than a dozen cloud products, covering security and identity, analytics, databases, managed VMware services, and Watson AI products. The company has also released fixes for 20 IBM on-premises products, including Cognos business intelligence, Power hardware, WebSphere, and Watson.
IBM continually updates the list of products affected by the vulnerability and those that it has confirmed to be unaffected.
Dozens of Cisco products are also affected by Log4j. Cisco has released numerous firmware and patch updates to correct the flaw.
The products for which updates have been released are: Cisco Identity Services Engine, DNA Spaces Connector, Cisco BroadWorks, and Cisco Finesee. Updates have also been released for several other products including Cisco Contact Center Domain Manager (CCDM), Cisco IOx Fog Director, Cisco Contact Center Management Portal (CCMP), Cisco Unified Communications Manager / Cisco Unified Communications Manager Session Management Edition, Cisco Video Surveillance Operations Manager and Cisco Connected Mobile Experiences (CMX).
VMware is also updating its list of affected products, most of which are considered “critical” with a CVSS severity score of 10 out of 10. While many fixes have been released by the publisher, some products are still awaiting patch. When patches are not available, VMware updates its recommended mitigation measures to reflect updates addressed by Apache Foundation version 2.16 of Log4j, which fixes the incomplete patch originally released last week.
VMware had over 100 products affected by the bug known as Log4Shell, and identified as CVE 2021-44228.
But the virtualization giant also released a patch to fix a critical non-Log4j Server Side Request Forgery (SSRF) vulnerability in its Workspace ONE Unified Endpoint Management (UEM) console.
Identified as CVE-2021-22054, this flaw would allow an attacker with network access to UEM to “send their requests without authentication and exploit this problem to access sensitive information”, according to the VMware review.
The vulnerability received a CVSS score of 9.1 out of 10. The bug affects versions 2105, 2012, 2011 and 2008 of the UEM Workspace ONE console.
The Agency for Cybersecurity and Infrastructure Security and the White House have warned U.S. organizations of cyber attacks during the holiday season. Cybercriminals frequently launch major ransomware attacks on public holidays to take advantage of the small staff.
The CISA has published a list of suppliers and products affected by the Log4Shell flaw. The Dutch cybersecurity agency is also updating a list of affected products and suppliers, which it released earlier this week.
Source: “ZDNet.com”