2021年12月，Apache Log4j库中发现多个漏洞，影响了所有低于2.15.0版本的Log4j。Cisco积极应对这些漏洞，并发布了软件更新来修复受影响的产品。本文概述了Cisco针对Apache Log4j漏洞的应对措施，包括已修复的产品、软件更新信息、常见问题解答以及其他相关信息。

😄 **Cisco积极应对Log4j漏洞:** 当Apache Log4j漏洞在2021年12月被发现时，Cisco迅速采取行动，尽可能快地解决这些问题。目前，所有受影响的Cisco产品要么已修复，要么已发布软件更新。对于本地产品，Cisco的软件更新通过将Log4j更新至至少2.16.0版本或提供同等安全保护级别来解决CVE-2021-44228和CVE-2021-45046。Cisco已审查CVE-2021-45105，并确定没有Cisco产品或云服务受此漏洞影响。

😊 **Cisco采取多种措施修复漏洞:** Cisco利用各种软件开发方法来修复其产品中的Log4j漏洞。更新Log4j版本并非唯一的修复方法。可能存在其他修复方法，例如从log4j-core JAR文件中删除JndiLookup类，这些方法可以提供同等的安全保护级别。Cisco在特定情况下使用哪种方法取决于各种因素，包括产品的架构、Log4j在产品中的使用方式、产品功能的配置等等。在所有情况下，Cisco都努力使用所有可能的修复漏洞方法，尽快提供有效的修复措施。

😉 **Cisco提供详细的产品信息:** 安全公告中提供了受此漏洞影响的产品列表，所有受影响的Cisco产品要么已修复，要么已发布软件更新。安全公告中包含更多信息以及软件更新的链接。

🤔 **Cisco提供客户支持:** 对于需要此安全漏洞帮助或在软件更新安装期间或之后有问题的客户，根据其合同情况，可以采取以下措施： * 拥有Cisco支持合同的客户：可以在cisco.com/support上获得在线TAC资源，包括打开新案例的选项。要更改严重程度或升级现有案例，可以使用TAC Connect Bot与案例所有者和值班经理联系，或直接联系案例所有者。或者，您可以通过电话联系TAC。 * 拥有合同维护提供商支持合同的客户：请直接联系您的授权支持提供商。 * 没有支持合同的客户：通过电话联系Cisco TAC。

😮 **Cisco采取多项措施保护自身网络:** Cisco采用各种安全措施来保护其系统和网络，包括入侵检测和防御措施。详细了解Cisco的安全与信任组织如何保护Cisco。

Version 1.6: April 13, 2022

Vulnerability Timeline Summary

December 9, 2021: A vulnerability, CVE-2021-44228, in the Apache Log4j Java logging library affecting all Log4j versions prior to 2.15.0 was disclosed.
December 14, 2021: A related vulnerability, CVE-2021-45046, disclosed that is addressed in Log4j version 2.16.0.
December 18, 2021: Apache released Log4j 2.17.0 to address a third vulnerability: CVE-2021-45105.

This information is based on Cisco’s investigation to-date and is subject to change. In the event of new information, Cisco will provide updates via this page. 

Resources

Cisco's Response

When the Apache Log4j vulnerabilities became known in December 2021, Cisco actively addressed them as quickly as possible. At this time, all affected Cisco products have either been remediated or a software update has been released. Cisco’s software updates for on-premises products are addressing CVE-2021-44228 and CVE-2021-45046 by updating to Log4j version 2.16.0, at a minimum, or an equivalent level of security protection. Cisco has reviewed CVE-2021-45105 and has determined that no Cisco products or cloud offerings are impacted by this vulnerability.

Please see the Products section of the security advisory for detailed information.  

Cisco Talos has blocked domains, IP addresses, and hashes that are related to attempted exploitation of the vulnerability. Please see the Talos threat advisory for information on available Snort SIDs, ClamAV signatures, and endpoint Cloud Indicators of Compromise.

Cisco IT enacted its emergency operations process and employed multiple methods to respond to this incident. We use various security measures to safeguard our systems and networks, including proactive inventory tools, scanning, and intrusion detection and prevention measures.

Common Questions

Q: What is Cisco’s approach to addressing the vulnerabilities disclosed for Apache Log4j?

    When the vulnerabilities became known, Cisco worked to address the disclosed vulnerabilities as quickly as possible and  prioritized software updates based on severity. Cisco’s software updates for on-premises products are addressing CVE-2021-44228 and CVE-2021-45046 by updating to Log4j version 2.16.0, at a minimum, or an equivalent level of security protection. Cisco has reviewed CVE-2021-45105 and has determined that no Cisco products or cloud offerings are impacted by this vulnerability.

    The specific software update information for affected products can be found in the Products section of the security advisory.

For Cisco Cloud Offerings, the security advisory includes a table that lists remediation status for CVE-2021-44228 (Log4j 2.15.0 update - column one) and remediation status for CVE-2021-45046 (Log4j 2.16.0 update - column two). Cisco has reviewed CVE-2021-45105 and has determined that no Cisco products or cloud offerings are impacted by this vulnerability.

Q: How has Cisco remediated the security vulnerabilities in its software updates?

Cisco used a variety of software development methods to remediate the Log4j vulnerabilities in its products. Updating the version of Log4j is not the only remediation method. There may be alternative methods of remediation that can provide an equivalent level of security, such as removing the JndiLookup class from the log4j-core JAR file. Which method Cisco uses in a given situation depends upon various factors, including the product’s architecture, how Log4j is used in the product, the configuration of product features, and more. In all cases, Cisco worked to deliver effective fixes as quickly as possible using every possible method of remediating the vulnerabilities.

Q: Which Cisco products are affected by this vulnerability?

Please see the Products section of the security advisory for the list of products affected by this vulnerability. All affected Cisco products have either been remediated or have a software update available.

Q: When will software updates for Cisco products be available?
All affected Cisco products have either been remediated or have a software update available. More information and links to software updates are available on the security advisory

Q: What support is available to customers for the software updates?
Customers that require assistance with this security vulnerability or have a question during or after installation of a software update have options depending on their contract situation:

Customers with a Cisco support contract: Online TAC resources are available at cisco.com/support including an option to open a new case. To change severity or escalate an existing case, use TAC Connect Bot to reach the case owner and duty manager, or contact the case owner directly. Alternately, you can contact TAC by phone.

Customers with a support contract from a contracted maintenance provider: Please contact your authorized support provider directly.

Customers without a support contract: Contact Cisco TAC by phone.

Q: Are there any product workarounds available? Workarounds, where available, are documented in the product-specific Cisco bugs, which are identified in the security advisory. Cisco has actively leveraged its array of security measures, including intrusion prevention and detection measures, to mitigate potential risks. Additionally, Cisco Talos has published signatures to help protect against potential threats on the threat advisory.

Q: Will Cisco provide software updates for products that have reached the End of Support milestone? At this time, Cisco provided software updates for currently supported products. Cisco PSIRT and Engineering do not evaluate software that has passed the End of Support milestone, and it will not be listed in the security advisory. For additional information, please review the Security Vulnerability Policy and the End-of-Sale and End-of-Life Products list.

  Q: How many products has Cisco assessed?
Cisco investigated over 200 products and determined around 50 products contain the Apache vulnerability and more than 130 products do not. 

  Q: Has Cisco seen exploitation of Cisco products?   
The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability in the Apache Log4j library. We ask our customers to please review the security advisory for the latest information and take appropriate action. 

   Q: How is Cisco protecting its own corporate IT network? 
  Cisco uses various security measures to safeguard its systems and networks, including intrusion detection and prevention measures. Read more about how our Security & Trust organization helps protect Cisco.

  Q: Are Cisco’s vendors/suppliers impacted by this issue? 
      Cisco  engaged with vendors and supply chain partners to assess any potential impact to their businesses.  

Q: Did Cisco shut down any services as a result of this vulnerability? No. All Cisco services remain operational.

Q: Which software version(s) of Log4j were used at Cisco? Several different software versions of the Apache library were in use at Cisco.

 

This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.

Back to Top