Apache Log4j Log4Shell exploit which products & services are affected?

By Brian Aykut. Published: Sunday, 12th December, 2021

This zero-day exploit (CVE-2021-44228 | Apache’s page on this issue) which has been dubbed by some sites Log4Shell allows for unauthenticated remote code execution, so in other words, it’s about as bad as they come. Unfortunately, this combined with how widely Log4j is used this vulnerability is a particularly dangerous one. Apache has published various mitigations here. Many many applications use this particular library and whilst it’s most likely to impact servers and Sofware as a Service provider, it was noted quite early that games such as Minecraft were being actively exploited.

Thankfully many services have taken this quite seriously and have already pushed patches out.

Lunasec has an excellent article on this vulnerability if you’d like to dig into the details. I’ll continue to update this article as I come across additional impacted products or services and will link to relevant statements from these companies and mitigation advice where practical.

Services/software which are or were likely affected include:

Minecraft Java edition (patch available)
Various Cisco products and services (some are under investigation, some confirmed vulnerable, some safe)
Various AWS services (some are safe, others vulnerable)
Various Redhat products and Services (mutiple vulnerable)
Various VMWare products (noted as under evaluation but sounds likely effected)

Largely unaffected – some edge cases

cPanel/WHM – (Default install should be unaffected, only cPanel Solr if installed, possible some customizations could lead to vulnerabilities – Installing Tomcat via EasyPache 4 is one noted example)

Unconfirmed

iCloud (Wired has linked to evidence suggesting DNS request may be triggered but not necessarily RCE)

Software/services likely incorrectly reported as vulnerable or only partially vulnerable.

Steam (1, 2 – mistakenly reported based on solely on a DNS request being triggered, Steam has apparently checked and whilst a DNS request could be triggered remote code execution was not possible)
- Whilst Steam may not suffer from this issue directly that does not rule out games it supports being vulnerable.

Mitigations

Apache’s advice is available here
Cloudflare WAF users have additional managed rules available to prevent this issue being exploited

Further notes

That’s it for now, I’ll continue to update this page as I find out more! Good luck and for those affected may the odds be ever in your favour (hopefully you’re not hit!).