0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
| Supplier | Product | Version (see Status) | Status CVE-2021-4104 | Status CVE-2021-44228 | Status CVE-2021-45046 | Status CVE-2021-45105 | Notes | Links |
|---|---|---|---|---|---|---|---|---|
| ABB | Alarminsight Cloud | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| ABB | B&R Products | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| ABB | Remote Service | Not vuln | Fix | Details are shared with customers with an active RAP subscription | "source" | |||
| Abbott | All | Investigation | source | |||||
| Abnormal Security | All | Not vuln | Not vuln | Not vuln | Not vuln | Abnormal Blog | ||
| Accellence | All | Accellence Article | ||||||
| Accellence Technologies | EBÜS | All | Not vuln | Workaround | EBÜS itself is not vulnerable to CVE-2021-44228. Although it includes several 3rd-partie software setups, which may be affected (see source for more info). | source | ||
| Accellence Technologies | vimacc | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Accellion | Kiteworks | v7.6 release | Not vuln | Fix | As a precaution, Kiteworks released a 7.6.1 Hotfix software update to address the vulnerability. This patch release adds the mitigation for CVE-2021-44228 contained in the Solr package as recommended by Apache Solr group. Specifically, it updates the Log4j library to a non-vulnerable version on CentOS 7 systems as well as adds the recommended option “$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true” to disable the possible attack vector on both CentOS 6 and CentOS 7. | Kiteworks Statement | ||
| Accruent | Analytics | Not vuln | Fix | source | ||||
| Accruent | Asset Enterprise | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| Accruent | BigCenter | Not vuln | Fix | source | ||||
| Accruent | EMS | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| Accruent | Evoco | Not vuln | Fix | source | ||||
| Accruent | Expesite | Not vuln | Fix | source | ||||
| Accruent | Famis 360 | Not vuln | Fix | source | ||||
| Accruent | Lucernex | Not vuln | Fix | source | ||||
| Accruent | Maintenance Connection | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| Accruent | Meridian | Not vuln | Fix | source | ||||
| Accruent | Single Sign On (SSO, Central Auth) | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| Accruent | SiteFM3 | Not vuln | Fix | source | ||||
| Accruent | SiteFM4 | Not vuln | Fix | source | ||||
| Accruent | Siterra | Not vuln | Fix | source | ||||
| Accruent | TMS | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| Accruent | VxField | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| Accruent | VxMaintain/VxObserve/VxSustain | Not vuln | Fix | source | ||||
| Acquia | All | Acquia Article | ||||||
| Acronis | All | Investigation | See further information below | source | ||||
| Acronis | Backup | 11.7 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Acronis | Cyber Backup | 12.5 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Acronis | Cyber Files | 8.6.2 onwards | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Acronis | Cyber Infrastructure | 3.5 and 4.x | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Acronis | Cyber Protect | 15 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Acronis | Cyber Protection Home Office | 2017 onwards | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Acronis | DeviceLock DLP | 9.0 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Acronis | Files Connect | 10.7 onwards | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Acronis | MassTransit | 8.1 and 8.2 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Acronis | Snap Deploy | 5 and 6 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| ActiveState | All | ActiveState Blog Post | ||||||
| Acunetix | 360 | All | Not vuln | source | ||||
| Acunetix | Agents | All | Not vuln | source | ||||
| Acunetix | Application | All | Not vuln | source | ||||
| Acunetix | IAST: ASP. NET | All | Not vuln | source | ||||
| Acunetix | IAST: Java | All | Not vuln | Workaround | AcuSensor IAST module needs attention | source | ||
| Acunetix | IAST: NodeJS | All | Not vuln | source | ||||
| Acunetix | IAST: PHP | All | Not vuln | source | ||||
| Adaptec | All | Adaptec Link | ||||||
| Addigy | All | Addigy Blog Post | ||||||
| Adeptia | All | Adeptia Article | ||||||
| Adeptia | Connect | 3.3 | Workaround | Workaround | Workaround | Advisory mentioned only log4j2 and not the CVE | source | |
| Adeptia | Connect | 3.4, 3.5 | Workaround | Workaround | Workaround | Advisory mentioned only log4j2 and not the CVE | source | |
| Adeptia | Suite | 6.9.10, 6.9.11 | Workaround | Workaround | Workaround | Advisory mentioned only log4j2 and not the CVE | source | |
| Adeptia | Suite | 6.9.9 | Workaround | Workaround | Workaround | Advisory mentioned only log4j2 and not the CVE | source | |
| Adobe | Acrobat Reader | Not vuln | source | |||||
| Adobe | All | Investigation | source | |||||
| Adobe | Automated Forms Conversion Service | Vulnerable | source | |||||
| Adobe | ColdFusion | All | Not vuln | Fix | "<a href=""https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html"" rel=""nofollow"">Patched on Dec 17th" | source | ||
| Adobe | Experience Manager 6.3 Forms on JEE | all versions from 6.3 GA to 6.3.3 | Not vuln | Workaround | source | |||
| Adobe | Experience Manager 6.4 Forms Designer | Vulnerable | source | |||||
| Adobe | Experience Manager 6.4 Forms on JEE | all versions from 6.4 GA to 6.4.8 | Not vuln | Workaround | source | |||
| Adobe | Experience Manager 6.5 Forms Designer | Not vuln | Fix | source | ||||
| Adobe | Experience Manager 6.5 Forms on JEE | all versions from 6.5 GA to 6.5.11 | Not vuln | Workaround | source | |||
| Adobe | Experience Manager Forms on OSGi | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Adobe | Experience Manager Forms Workbench | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Adobe ColdFusion | All | Adobe ColdFusion Link | ||||||
| ADP | All | Investigation | Patching were needed, no signs of intrusion | source | ||||
| Advanced Systems Concepts (formally Jscape) | Active MFT | Not vuln | Not vuln | Not vuln | Not vuln | This advisory is available to customers only and has not been reviewed by CISA | Log4J Vulnerabilty | |
| Advanced Systems Concepts (formally Jscape) | MFT | Not vuln | Not vuln | Not vuln | Not vuln | This advisory is available to customers only and has not been reviewed by CISA | Log4J Vulnerabilty | |
| Advanced Systems Concepts (formally Jscape) | MFT Gateway | Not vuln | Not vuln | Not vuln | Not vuln | This advisory is available to customers only and has not been reviewed by CISA | Log4J Vulnerabilty | |
| Advanced Systems Concepts (formally Jscape) | MFT Server | Not vuln | Not vuln | Not vuln | Not vuln | This advisory is available to customers only and has not been reviewed by CISA | Log4J Vulnerabilty | |
| AFAS | All | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| AFAS Software | All | AFAS Software Link | ||||||
| AFHCAN Global LLC | AFHCANcart | 8.0.7 - 8.4.3 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| AFHCAN Global LLC | AFHCANmobile | 8.0.7 - 8.4.3 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| AFHCAN Global LLC | AFHCANServer | 8.0.7 - 8.4.3 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| AFHCAN Global LLC | AFHCANsuite | 8.0.7 - 8.4.3 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| AFHCAN Global LLC | AFHCANupdate | 8.0.7 - 8.4.3 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| AFHCAN Global LLC | AFHCANweb | 8.0.7 - 8.4.3 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Agilysys | All | Agilysys Link | ||||||
| Ahsay | Mobile | version 1.6+ | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Ahsay | Other products | version 8.5.4.86 (and above) | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Ahsay | PRD | version 2.0 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Aiden | All | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| AIL | All | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Akamai | Enterprise Application Access (EAA) connector | Not vuln | Not vuln | Not vuln | Not vuln | |||
| Akamai | Siem Integration Connector | <1.7.4 | Not vuln | Fix | Fix | Fix | Akamai SIEM Integration Connector is vulnerable to CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. | source |
| Akamai | Siem Splunk Connector | =>1.4.10 | Not vuln | Not vuln | Not vuln | Not vuln | v1.4.11 is the new recommendation for mitigation of log4j vulnerabilities. | source |
| Akamai | Siem Splunk Connector | <1.4.10 | Not vuln | Workaround | Akamai SIEM Integration Connector for Splunk is not vulnerable to CVE-2021-44228. Although it includes the vulnerable Log4J component, it is not used by the connector. | source | ||
| Alcatel | All | Alcatel Link | ||||||
| Alertus | Console | 5.15.0 | Not vuln | Fix | source | |||
| Alexion | All | Alexion Blog Post | ||||||
| Alexion Software | Alexion CRM | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Alfresco (Hyland) | Alfresco | All | Not vuln | Alfresco Blog Post | ||||
| AlienVault | All | AlienVault Article Link | ||||||
| Alphatron | AMiSconnect | Not vuln | source | |||||
| Alphatron | Custo diagnostics | 5.4 to 5.6 | Vulnerable | Potentially vulnerable through the HL7 and DICOM communication interfaces | source | |||
| Alphatron | JiveX | Not vuln | source | |||||
| Alphatron | Zorgbericht | Not vuln | source | |||||
| Alphatron Medical | All | Alphatron Medical Website | ||||||
| Amazon | AMS | Not vuln | Fix | Work in progress, portion of customers may still be vulnerable. Actively monitoring this issue, and are working on addressing it for any AMS services which use Log4j2 | source | |||
| Amazon | API Gateway | Not vuln | Fix | source | ||||
| Amazon | Athena | Not vuln | Fix | source | ||||
| Amazon | Athena JDBC driver | Not vuln | Not vuln | Not vuln | Not vuln | All versions vended to customers were not affected | source | |
| Amazon | AWS | Linux 1,2 | Not vuln | Not vuln | Not vuln | Not vuln | "Notes: Amazon Linux 1 had aws apitools which were Java based but these were deprecated in 2015 <a href=""https://forums.aws.amazon.com/thread.jspa?threadID=323611"" rel=""nofollow"">AWS Forum. AMIs used to inspect and verify (base spin ups) - amzn-ami-hvm-2018.03.0.20200318.1-x86_64-gp2 and amzn2-ami-kernel-5.10-hvm-2.0.20211201.0-x86_64-gp2" | |
| Amazon | AWS API Gateway | All | Not vuln | Fix | Amazon AWS Link | |||
| Amazon | AWS AppFlow | Not vuln | Fix | source | ||||
| Amazon | AWS AppSync | Not vuln | Fix | Updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046 | source | |||
| Amazon | AWS AWS Certificate Manager | Not vuln | Fix | source | ||||
| Amazon | AWS AWS Certificate Manager Private CA | Not vuln | Fix | source | ||||
| Amazon | AWS AWS Service Catalog | Not vuln | Fix | source | ||||
| Amazon | AWS CloudHSM | 3.4.1 | Not vuln | Fix | CloudHSM JCE SDK 3.4.1 or higher is not vulnerable | source | ||
| Amazon | AWS CodeBuild | Not vuln | Fix | Updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046 | source | |||
| Amazon | AWS CodePipeline | Not vuln | Fix | Updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046 | source | |||
| Amazon | AWS Connect | All | Not vuln | Fix | Vendors recommend evaluating components of the environment outside of the Amazon Connect service boundary, which may require separate/additional customer mitigation | Vendor Link | ||
| Amazon | AWS Directory Service | Not vuln | Fix | source | ||||
| Amazon | AWS DynamoDB | Not vuln | Fix | Update for Apache Log4j2 Issue (CVE-2021-44228) | ||||
| Amazon | AWS EKS, ECS, Fargate | Not vuln | Fix | "To help mitigate the impact of the open-source Apache “Log4j2"" utility (CVE-2021-44228 and CVE-2021-45046) security issues on customers’ containers, Amazon EKS, Amazon ECS, and AWS Fargate are deploying a Linux-based update (hot-patch). This hot-patch will require customer opt-in to use, and disables JNDI lookups from the Log4J2 library in customers’ containers. These updates are available as an Amazon Linux package for Amazon ECS customers, as a DaemonSet for Kubernetes users on AWS, and will be in supported AWS Fargate platform versions" | Update for Apache Log4j2 Issue (CVE-2021-44228) | |||
| Amazon | AWS Elastic Beanstalk | Not vuln | Not vuln | Not vuln | Not vuln | Default configuration of application's usage of Log4j versions is not vulnerable | source | |
| Amazon | AWS ElastiCache | Not vuln | Fix | Update for Apache Log4j2 Issue (CVE-2021-44228) | ||||
| Amazon | AWS ELB | Not vuln | Fix | Update for Apache Log4j2 Issue (CVE-2021-44228) | ||||
| Amazon | AWS Fargate | Not vuln | Not vuln | Not vuln | Not vuln | Opt-in hot-patch to mitigate the Log4j issue in JVM layer will be available as platform versions | source hotpatch | |
| Amazon | AWS Glue | Not vuln | Fix | Has been updated. Vulnerable only if ETL jobs load affected versions of Apache Log4j | source | |||
| Amazon | AWS Greengrass | Not vuln | Fix | Updates for all Greengrass V2 components Stream Manager (2.0.14) and Secure Tunneling (1.0.6) are available. For Greengrass versions 1.10.x and 1.11.x, an update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5 | source | |||
| Amazon | AWS Inspector | Not vuln | Fix | Update for Apache Log4j2 Issue (CVE-2021-44228) | ||||
| Amazon | AWS IoT SiteWise Edge | Not vuln | Fix | "Updates for all AWS IoT SiteWise Edge components that use Log4j were made available; OPC-UA collector (v2.0.3), Data processing pack (v2.0.14), and Publisher (v2.0.2)" | source | |||
| Amazon | AWS Kinesis Data Stream | Not vuln | Fix | We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher) | Update for Apache Log4j2 Issue (CVE-2021-44228) | |||
| Amazon | AWS KMS | Not vuln | Fix | source | ||||
| Amazon | AWS Lambda | Not vuln | Fix | Vulnerable when using aws-lambda-java-log4j2 | source | |||
| Amazon | AWS Polly | Not vuln | Fix | source | ||||
| Amazon | AWS QuickSight | Not vuln | Fix | source | ||||
| Amazon | AWS RDS | Not vuln | Fix | Amazon RDS and Amazon Aurora have been updated to mitigate the issues identified in CVE-2021-44228 | Update for Apache Log4j2 Issue (CVE-2021-44228) | |||
| Amazon | AWS S3 | Not vuln | Fix | Update for Apache Log4j2 Issue (CVE-2021-44228) | ||||
| Amazon | AWS SDK | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| Amazon | AWS Secrets Manager | Not vuln | Fix | source | ||||
| Amazon | AWS SNS | Not vuln | Fix | Amazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer traffic | Update for Apache Log4j2 Issue (CVE-2021-44228) | |||
| Amazon | AWS SQS | Not vuln | Fix | Update for Apache Log4j2 Issue (CVE-2021-44228) | ||||
| Amazon | AWS Systems Manager | Not vuln | Fix | source | ||||
| Amazon | AWS Systems Manager Agent | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| Amazon | AWS Textract | Not vuln | Fix | source | ||||
| Amazon | Chime | Not vuln | Fix | Amazon Chime and Chime SDK services have been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046 | source | |||
| Amazon | Cloud Directory | Not vuln | Fix | source | ||||
| Amazon | CloudFront | Not vuln | Fix | source | ||||
| Amazon | CloudWatch | Not vuln | Fix | source | ||||
| Amazon | Cognito | Not vuln | Fix | source | ||||
| Amazon | Connect | Not vuln | Fix | source | ||||
| Amazon | Corretto | Not vuln | Not vuln | Not vuln | Not vuln | 10/19 release distribution does not include Log4j. Vulnerable only if customer's applications use affected versions of Apache Log4j | source | |
| Amazon | DocumentDB | Not vuln | Fix | source | ||||
| Amazon | DynamoDB | Not vuln | Fix | DynamoDB and DynamoDB Accelerator have been updated | source | |||
| Amazon | EC2 | Not vuln | Fix | Packages for Amazon Linux 1 and 2 not affected, package for Amazon Linux 2022 is | source fix | |||
| Amazon | ECR Public | Not vuln | Fix | Amazon-owned images published under a Verified Account on Amazon ECR Public are not affected by the Log4j issue | source | |||
| Amazon | ECS | Not vuln | Not vuln | Not vuln | Not vuln | As an Amazon Linux package, opt-in hot-patch to mitigate the Log4j issue in JVM layer is available | source hotpatch | |
| Amazon | EKS | Not vuln | Not vuln | Not vuln | Not vuln | As a DaemonSet, opt-in hot-patch to mitigate the Log4j issue in JVM layer is available | source hotpatch | |
| Amazon | Elastic Load Balancing | Not vuln | Fix | Services have been updated. All Elastic Load Balancers, as well as Classic, Application, Network and Gateway, are not affected by this Log4j issue | source | |||
| Amazon | ElastiCache | Not vuln | Fix | source | ||||
| Amazon | EMR | Not vuln | Fix | Many customers are estimated to be vulnerable. Vulnerable only if affected EMR releases are used and untrusted sources are configured to be processed | source | |||
| Amazon | EventBridge | Not vuln | Fix | source | ||||
| Amazon | Fraud Detector | Not vuln | Fix | source | ||||
| Amazon | Inspector | Not vuln | Fix | source | ||||
| Amazon | Inspector Classic | Not vuln | Fix | source | ||||
| Amazon | Kafka (MSK) | Not vuln | Fix | "Applying updates as required, portion of customers may still be vulnerable. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where needed" | source | |||
| Amazon | Kendra | Not vuln | Fix | source | ||||
| Amazon | Keyspaces (for Apache Cassandra) | Not vuln | Fix | source | ||||
| Amazon | Kinesis | Not vuln | Fix | Update for Kinesis Agent is available | source | |||
| Amazon | Kinesis Data Analytics | Not vuln | Fix | Updates are available. See source for more information | source | |||
| Amazon | Kinesis Data Streams | Not vuln | Fix | KCL 2.x, KCL 1.14.5 or higher, and KPL are not vulnerable | source | |||
| Amazon | Lake Formation | Not vuln | Fix | Update in progress, portion of customers may still be vulnerable. AWS Lake Formation service hosts are being updated to the latest version of Log4j | source | |||
| Amazon | Lex | Not vuln | Fix | source | ||||
| Amazon | Linux 1 (AL1) | Not vuln | Not vuln | Not vuln | Not vuln | By default not vulnerable. Opt-in hot-patch to mitigate the Log4j in JVM layer issue is available | source hotpatch | |
| Amazon | Linux 2 (AL2) | Not vuln | Fix | By default not vulnerable, and a new version of Amazon Kinesis Agent which is part of AL2 addresses the Log4j issue. Opt-in hot-patch to mitigate the Log4j issue in JVM layer is available | source hotpatch | |||
| Amazon | Lookout for Equipment | Not vuln | Fix | source | ||||
| Amazon | Macie | Not vuln | Fix | source | ||||
| Amazon | Macie Classic | Not vuln | Fix | source | ||||
| Amazon | Managed Workflows for Apache Airflow (MWAA) | Not vuln | Fix | source | ||||
| Amazon | MemoryDB for Redis | Not vuln | Fix | source | ||||
| Amazon | Monitron | Not vuln | Fix | source | ||||
| Amazon | MQ | Not vuln | Fix | source | ||||
| Amazon | Neptune | Not vuln | Fix | source | ||||
| Amazon | NICE | Not vuln | Fix | Recommended to update EnginFrame or Log4j library | source | |||
| Amazon | OpenSearch | R20211203-P2 | Not vuln | Fix | Update released, customers need to update their clusters to the fixed release | source | ||
| Amazon | Pinpoint | Not vuln | Fix | source | ||||
| Amazon | RDS | Rolling update has completed | Not vuln | Fix | source | |||
| Amazon | RDS Aurora | Rolling update has completed | Not vuln | Fix | source | |||
| Amazon | RDS for Oracle | Not vuln | Fix | source | ||||
| Amazon | Redshift | Not vuln | Fix | source | ||||
| Amazon | Rekognition | Not vuln | Fix | source | ||||
| Amazon | Route53 | Not vuln | Fix | source | ||||
| Amazon | S3 | Not vuln | Fix | source | ||||
| Amazon | SageMaker | Not vuln | Fix | Completed patching for the Apache Log4j2 issue (CVE-2021-44228). Vulnerable only if customer's applications use affected versions of Apache Log4j | source | |||
| Amazon | Simple Notification Service (SNS) | Not vuln | Fix | Systems that serve customer traffic are patched against the Log4j2 issue. Working to apply the patch to sub-systems that operate separately from SNS’s systems that serve customer traffic. | source | |||
| Amazon | Simple Queue Service (SQS) | Not vuln | Fix | source | ||||
| Amazon | Simple Workflow Service (SWF) | Not vuln | Fix | source | ||||
| Amazon | Single Sign-On | Not vuln | Fix | source | ||||
| Amazon | Step Functions | Not vuln | Fix | source | ||||
| Amazon | Timestream | Not vuln | Fix | source | ||||
| Amazon | Translate | Not vuln | Not vuln | Not vuln | Not vuln | "Service not identified on <a href=""https://aws.amazon.com/security/security-bulletins/AWS-2021-006/"" rel=""nofollow"">AWS Log4j Security Bulletin" | Amazon Translate | |
| Amazon | VPC | Not vuln | Fix | source | ||||
| Amazon | WorkSpaces/AppStream 2.0 | Not vuln | Fix | "Not affected with default configurations. WorkDocs Sync client versions 1.2.895.1 and older within Windows WorkSpaces, which contain the Log4j component, are vulnerable; For update instruction, see source for more info" | source | |||
| AMD | All | Not vuln | Not vuln | Not vuln | Not vuln | Currently, no AMD products have been identified as affected. AMD is continuing its analysis. | AMD Advisory Link | |
| Anaconda | All | 4.10.3 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| AOMEI | All Products | Not vuln | source | |||||
| Apache | ActiveMQ Artemis | All | Not vuln | Not vuln | Not vuln | Not vuln | "ActiveMQ Artemis does not use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. <a href=""/cisagov/log4j-affected-db/blob/develop/web/console.war/WEB-INF/lib"">web/console.war/WEB-INF/lib). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive. See <a href=""https://issues.apache.org/jira/browse/ARTEMIS-3612"" rel=""nofollow"">ARTEMIS-3612 for more information on that task." | ApacheMQ - Update on CVE-2021-4428 |
| Apache | Airflow | Not vuln | Not vuln | Not vuln | Not vuln | Airflow is written in Python | Apache Airflow | |
| Apache | Archiva | <2.2.6 | Not vuln | Fix | Fixed in 2.2.6 | source fix | ||
| Apache | Camel | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Apache | Camel 2 | Not vuln | Not vuln | Not vuln | Not vuln | APACHE CAMEL AND CVE-2021-44228 (LOG4J) | ||
| Apache | Camel JBang | <=3.1.4 | Vulnerable | APACHE CAMEL AND CVE-2021-44228 (LOG4J) | ||||
| Apache | Camel K | Not vuln | Not vuln | Not vuln | Not vuln | APACHE CAMEL AND CVE-2021-44228 (LOG4J) | ||
| Apache | Camel Karaf | Vulnerable | The Karaf team is aware of this and are working on a new Karaf 4.3.4 release with updated log4j. | APACHE CAMEL AND CVE-2021-44228 (LOG4J) | ||||
| Apache | Camel Quarkus | Not vuln | Not vuln | Not vuln | Not vuln | APACHE CAMEL AND CVE-2021-44228 (LOG4J) | ||
| Apache | CamelKafka Connector | Not vuln | Not vuln | Not vuln | Not vuln | APACHE CAMEL AND CVE-2021-44228 (LOG4J) | ||
| Apache | Cassandra | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Apache | Druid | 0.22.1 | Not vuln | Fix | source | |||
| Apache | Dubbo | All | Not vuln | Fix | source | |||
| Apache | Flink | 1.15.0, 1.14.2, 1.13.5, 1.12.7, 1.11.6 | Not vuln | Fix | source | |||
| Apache | Fortress | < 2.0.7 | Not vuln | Fix | Fixed in 2.0.7 | source | ||
| Apache | Geode | 1.14.0 | Not vuln | Fix | Fixed in 1.12.6, 1.13.5, 1.14.1 | source | ||
| Apache | Guacamole | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Apache | Hadoop | Not vuln | Not vuln | Not vuln | Not vuln | "Uses log4j 1.x. Are <a href=""https://issues.apache.org/jira/plugins/servlet/mobile#issue/HADOOP-12956"" rel=""nofollow"">plans to migrate to log4j2 but never performed" | source | |
| Apache | HBase | Vulnerable | Fix is committed, but not yet released | source | ||||
| Apache | Hive | 4.x | Not vuln | Fix | Fix in 4.x | source | ||
| Apache | James | 3.6.0 | Vulnerable | source | ||||
| Apache | Jena | < 4.3.1 | Not vuln | Fix | Fixed in 4.3.1 | source | ||
| Apache | JMeter | Any | Vulnerable | Manual Bypass | source | |||
| Apache | JSPWiki | 2.11.1 | Not vuln | Fix | source | |||
| Apache | Kafka | All | Workaround | Not vuln | Not vuln | Not vuln | Uses Log4j 1.2.17 | source |
| Apache | Karaf | Vulnerable | "Depends on <a href=""https://github.com/ops4j/org.ops4j.pax.logging/issues/414"">PAX logging which is affected" | source | ||||
| Apache | Log4j | < 2.15.0 | Not vuln | Fix | Log4j – Apache Log4j Security Vulnerabilities | |||
| Apache | Log4j 1.x | All | Workaround | Not vuln | Not vuln | Not vuln | source | |
| Apache | Log4j 2 | 2.3.1, 2.12.3, 2.17.0 | Not vuln | Fix | Fix | Fix | source | |
| Apache | Maven | All | Not vuln | source | ||||
| Apache | NiFi | All | Not vuln | Fix | Fixed in 1.15.1, 1.16.0 | source | ||
| Apache | OFBiz | < 18.12.03 | Not vuln | Fix | Fixed in 18.12.03 | source | ||
| Apache | Ozone | < 1.2.1 | Not vuln | Fix | Fixed in 1.2.1 | source | ||
| Apache | SkyWalking | < 8.9.1 | Not vuln | Fix | Fixed in 8.9.1 | source | ||
| Apache | SOLR | 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 | Not vuln | Fix | Fixed in 8.11.1, Versions before 7.4 also vulnerable when using several configurations | source | ||
| Apache | Spark | All | Not vuln | Not vuln | Not vuln | Not vuln | Uses log4j 1.x | source |
| Apache | Struts | 2.5.28 | Vulnerable | source | ||||
| Apache | Struts 2 | Versions before 2.5.28.1 | Not vuln | Fix | The Apache Struts group is pleased to announce that Struts 2.5.28.1 is available as a “General Availability” release. The GA designation is our highest quality grade. This release addresses Log4j vulnerability CVE-2021-45046 by using the latest Log4j 2.12.2 version (Java 1.7 compatible). | Apache Struts Announcements | ||
| Apache | Tapestry | 5.7.3 | Vulnerable | Uses Log4j | source | |||
| Apache | Tika | 2.0.0 and up | Vulnerable | source | ||||
| Apache | Tomcat | Not vuln | Not vuln | Not vuln | Not vuln | source | ||
| Apache | TrafficControl | Vulnerable | source | |||||
| Apache | Zookeeper | Not vuln | Not vuln | Not vuln | Not vuln | Zookeeper uses Log4j 1.2 version | source | |
| APC by Schneider Electric | Powerchute Business Edition | v9.5, v10.0.1, v10.0.2, v10.0.3, v10.0.4 | Not vuln | Fix | Mitigation instructions to remove the affected class. | source | ||
| APC by Schneider Electric | Powerchute Network Shutdown | 4.2, 4.3, 4.4, 4.4.1 | Not vuln | Fix | Mitigation instructions to remove the affected class. | source | ||
| Apereo | CAS | 6.3.x & 6.4.x | Not vuln | Fix | Other versions still in active maintainance might need manual inspection | source | ||
| Apereo | Opencast | < 9.10, < 10.6 | Not vuln | Fix | source | |||
| Apigee | Edge and OPDK products | All version | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Apollo | All | Apollo Community Link | ||||||
| Appdynamics | All | Appdynamics Advisory Link | ||||||
| Appeon | PowerBuilder | Appeon PowerBuilder 2017-2021 regardless of product edition | Vulnerable | |||||
| AppGate | All | AppGate Blog Post | ||||||
| Appian | All | Not vuln | Fix | source | ||||
| Appian | Platform | All | Not vuln | Fix | "KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)" | |||
| Application Performance Ltd | DBMarlin | Not Affected | ||||||
| Application Performance Ltd | DBMarlin | Not vuln | Not vuln | Not vuln | Not vuln | Common Vulnerabilities Apache log4j Vulnerability CVE-2021-4428 | ||
| APPSHEET | All | APPSHEET Community Link | ||||||
| Aptible | All | Search 5.x | Not vuln | Fix | source | |||
| Aqua Security | All | Aqua Security Google Doc | ||||||
| Arbiter Systems | All | Not vuln | Not vuln | Not vuln | Not vuln | Arbiter Systems Advisory Link | ||
| Arca Noae | All | Arca Noae Link | ||||||
| Arcserve | Backup | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Arcserve | Continuous Availability | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Arcserve | Email Archiving | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Arcserve | ShadowProtect | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Arcserve | ShadowXafe | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Arcserve | Solo | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Arcserve | StorageCraft OneXafe | All | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Arcserve | UDP | 6.5-8.3 | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| ArcticWolf | All | ArcticWolf Blog Post | ||||||
| Arduino | IDE | 1.8.17 | Not vuln | Fix | source | |||
| Ariba | All | "Ariba Annoucement" | ||||||
| Arista | All | Arista Advisory Notice | ||||||
| Arista Networks | Analytics Node for Converged Cloud Fabric (formerly Big Cloud Fabric) | >7.0.0 | Vulnerable | source | ||||
| Arista Networks | Analytics Node for DANZ Monitoring Fabric (formerly Big Monitoring Fabric) | >7.0.0 | Vulnerable | source | ||||
| Arista Networks | CloudVision Portal | >2019.1.0 | Vulnerable | source | ||||
| Arista Networks | CloudVision Wi-Fi, virtual appliance or physical appliance | >8.8 | Vulnerable | source | ||||
| Arista Networks | Embedded Analytics for Converged Cloud Fabric (formerly Big Cloud Fabric) | >5.3.0 | Vulnerable | source | ||||
| Aruba Networks | All | "Aruba Networks Notification" | ||||||
| Ataccama | All | Ataccama Link | ||||||
| Atera | All | Atera Link | ||||||
| Atlassian | Bamboo Server & Data Center | On prem | Vulnerable | Only vulnerable when using non-default config, cloud version fixed | source | |||
| Atlassian | BitBucket Server | On prem | Not vuln | Workaround | source | |||
| Atlassian | Bitbucket Server & Data Center | All | Not vuln | Fix | This product is not vulnerable to remote code execution but may leak information due to the bundled Elasticsearch component being vulnerable. | Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228 | ||
| Atlassian | Confluence Server & Data Center | On prem | Vulnerable | Only vulnerable when using non-default config, cloud version fixed | source | |||
| Atlassian | Confluence-CIS CSAT Pro | v1.7.1 | Vulnerable | source | ||||
| Atlassian | Confluence-CIS WorkBench | Not vuln | source | |||||
| Atlassian | Confluence-CIS-CAT Lite | v4.13.0 | Vulnerable | source | ||||
| Atlassian | Confluence-CIS-CAT Pro Assessor v3 Full and Dissolvable | v3.0.77 | Vulnerable | source | ||||
| Atlassian | Confluence-CIS-CAT Pro Assessor v4 | v4.13.0 | Vulnerable | source | ||||
| Atlassian | Confluence-CIS-CAT Pro Assessor v4 Service | v1.13.0 | Vulnerable | source | ||||
| Atlassian | Confluence-CIS-CAT Pro Dashboard | Not vuln | source | |||||
| Atlassian | Confluence-CIS-Hosted CSAT | Not vuln | source | |||||
| Atlassian | Crowd Server & Data Center | On prem | Vulnerable | Only vulnerable when using non-default config, cloud version fixed | source | |||
| Atlassian | Crucible | On prem | Vulnerable | Only vulnerable when using non-default config, cloud version fixed | source | |||
| Atlassian | Fisheye | On prem | Vulnerable | Only vulnerable when using non-default config, cloud version fixed | source | |||
| Atlassian | Jira Server & Data Center | On prem | Vulnerable | Only vulnerable when using non-default config, cloud version fixed | source | |||
| Attivo networks | All | Attivo Networks Advisory | ||||||
| AudioCodes | All | AudioCodes Link | ||||||
| Autodesk | All | Investigation | source | |||||
| Automation Anywhere | Automation 360 Cloud | Not vuln | Fix | source | ||||
| Automation Anywhere | Automation 360 On Premise | Not vuln | Workaround | source | ||||
| Automation Anywhere | Automation Anywhere | 11.3.x | Not vuln | Not vuln | Not vuln | Not vuln | source | |
| Automation Anywhere | Automation Anywhere | 11.x, <11.3.x | Not vuln | Workaround | Workaround | Workaround | source | |
| Automox | All | Automox Blog Post | ||||||
| Autopsy | All | Autopsy Link | ||||||
| Auvik | All | Auvik Status Link | ||||||
| Avantra SYSLINK | All | Avantra SYSLINK Article | ||||||
| Avaya | All | source | ||||||
| Avaya | Analytics | 3.5, 3.6, 3.6.1, 3.7, 4 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Aura for OneCloud Private | Vulnerable | Avaya is scanning and monitoring its OneCloud Private environments as part of its management activities. Avaya will continue to monitor this fluid situation and remediations will be made as patches become available, in accordance with appropriate change processes. | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Aura® Application Enablement Services | 8.1.3.2, 8.1.3.3, 10.1 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Aura® Contact Center | 7.0.2, 7.0.3, 7.1, 7.1.1, 7.1.2 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Aura® Device Services | 8.0.1, 8.0.2, 8.1.3 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Aura® Device Services | 8, 8.1, 8.1.4, 8.1.5 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Aura® Media Server | 8.0.0, 8.0.1, 8.0.2 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Aura® Presence Services | 10.1, 7.1.2, 8, 8.0.1, 8.0.2, 8.1, 8.1.1, 8.1.2, 8.1.3, 8.1.4 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Aura® Session Manager | 10.1, 7.1.3, 8, 8.0.1, 8.1, 8.1.1, 8.1.2, 8.1.3 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Aura® System Manager | 10.1, 8.1.3 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Aura® Web Gateway | 3.11[P], 3.8.1[P], 3.8[P], 3.9.1 [P], 3.9[P] | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Breeze™ | 3.7, 3.8, 3.8.1 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Business Rules Engine | 3.4, 3.5, 3.6, 3.7 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Callback Assist | 5, 5.0.1 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Contact Center Select | 7.0.2, 7.0.3, 7.1, 7.1.1, 7.1.2 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Control Manager | 9.0.2, 9.0.2.1 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | CRM Connector - Connected Desktop | 2.2 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Device Enablement Service | 3.1.22 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Device Enrollment Service | 3.1 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Equinox™ Conferencing | 9.1.2 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Interaction Center | 7.3.9 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | IP Office™ Platform | 11.0.4, 11.1, 11.1.1, 11.1.2 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Meetings | 9.1.10, 9.1.11, 9.1.12 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | one cloud private -UCaaS - Mid Market Aura | 1 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | OneCloud-Private | 2 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Proactive Outreach Manager | 3.1.2, 3.1.3, 4, 4.0.1 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| Avaya | Session Border Controller for Enterprise | 8.0.1, 8.1, 8.1.1, 8.1.2, 8.1.3 | Not vuln | Fix | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | |||
| Avaya | Social Media Hub | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | |||||
| Avaya | Workforce Engagement | 5.3 | Vulnerable | Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security | ||||
| AVEPOINT | All | AVEPOINT Notification | ||||||
| AVM | All | devices, firmware, software incl. MyFritz Service | Not vuln | source | ||||
| AvTech RoomAlert | All | AvTech RoomAlert Article | ||||||
| AWS New | All | AWS New Security Bulletin | ||||||
| AXIS | OS | All | Not vuln | source | ||||
| AXON | All | AXON Link | ||||||
| AXS Guard | All | AXS Guard Blog Post | ||||||
| Axways Applications | All | Axways Applications Link |