On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed:
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
On December 14, 2021, the following low-impact vulnerability, which affects certain Apache Log4j use cases in versions 2.15.0 and earlier, was discovered:
- CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
For more information, please see the Cisco Security Advisory here:
Frequently Asked Questions
Q: That page lists "Umbrella DNS: Remediated / Umbrella SIG: Remediated," but what does remediate mean?
A: Any Cisco Umbrella systems that used Log4j had steps applied to prevent them from being vulnerable.
Q: What changes were made by Cisco Umbrella to remediate this?
A: Potentially vulnerable systems were patched/upgraded, had configuration changes made, or JNDI disabled entirely as appropriate.
Q: Only Umbrella Cloud is mentioned; what about deployed software such as Virtual Appliances, Roaming Clients, Active Directory Connectors, &etc?
A: There is no deployable Umbrella software which uses Log4j.
Q: Do I as an Umbrella customer need to do anything to get the remediation?
Q: Can Umbrella protect my own systems from attacks that exploit this vulnerability?
A: Although Umbrella can block attempts by an exploited system to use DNS lookups to exfiltrate data, and Umbrella SWG can block HTTP communication to malicious IP addresses, we recommend applying remediations directly to vulnerable systems rather than depending only on Umbrella for protection.