List of software (un)affected by the log4shell CVEs

June 15, 2022 · View on GitHub

About this list

0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A

SupplierProductVersion (see Status)Status CVE-2021-4104Status CVE-2021-44228Status CVE-2021-45046Status CVE-2021-45105NotesLinks
APC by Schneider ElectricPowerchute Business EditionFixMitigation instructions to remove the affected class.link
APC by Schneider ElectricPowerchute Network ShutdownFixMitigation instructions to remove the affected class.link
ARC InformatiqueAllNot vulnlink
Advanced Micro Devices (AMD)AllNot vulnlink
AlfrescoAllNot vulnlink
AtviseAllNot vulnThe security vulnerability does NOT affect our applications and products or pose any threat. This applies to all Bachmann applications and products, including atvise solutions.link
ABBAlarminsight CloudNot vulnNot vulnNot vulnNot vulnsource
ABBB&R ProductsNot vulnNot vulnNot vulnNot vulnsource
ABBRemote ServiceNot vulnFixDetails are shared with customers with an active RAP subscriptionsource
AbbottAllInvestigationsource
AbbottGLP Track SystemTrack Sample Manager (TSM) and Track Workflow Manager (TWM) communication interfacesVulnerableVulnerableVulnerableAbbott will provide a fix for this in a future update expected in January 2022.source
Abnormal SecurityAllNot vulnNot vulnNot vulnNot vulnAbnormal Blog
AccellenceAllAccellence Article
Accellence TechnologiesEBÜSAllNot vulnWorkaroundEBÜS itself is not vulnerable to CVE-2021-44228. Although it includes several 3rd-partie software setups, which may be affected (see source for more info).source
Accellence TechnologiesvimaccAllNot vulnNot vulnNot vulnNot vulnsource
AccellionKiteworksv7.6 releaseNot vulnFixAs a precaution, Kiteworks released a 7.6.1 Hotfix software update to address the vulnerability. This patch release adds the mitigation for CVE-2021-44228 contained in the Solr package as recommended by Apache Solr group. Specifically, it updates the Log4j library to a non-vulnerable version on CentOS 7 systems as well as adds the recommended option “$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true” to disable the possible attack vector on both CentOS 6 and CentOS 7.Kiteworks Statement
AccruentAnalyticsNot vulnFixsource
AccruentAsset EnterpriseNot vulnNot vulnNot vulnNot vulnsource
AccruentBigCenterNot vulnFixsource
AccruentEMSNot vulnNot vulnNot vulnNot vulnsource
AccruentEvocoNot vulnFixsource
AccruentExpesiteNot vulnFixsource
AccruentFamis 360Not vulnFixsource
AccruentLucernexNot vulnFixsource
AccruentMaintenance ConnectionNot vulnNot vulnNot vulnNot vulnsource
AccruentMeridianNot vulnFixsource
AccruentSingle Sign On (SSO, Central Auth)Not vulnNot vulnNot vulnNot vulnsource
AccruentSiteFM3Not vulnFixsource
AccruentSiteFM4Not vulnFixsource
AccruentSiterraNot vulnFixsource
AccruentTMSNot vulnNot vulnNot vulnNot vulnsource
AccruentVxFieldNot vulnNot vulnNot vulnNot vulnsource
AccruentVxMaintain/VxObserve/VxSustainNot vulnFixsource
AcquiaAllAcquia Article
AcronisAllInvestigationSee further information belowsource
AcronisBackup11.7Not vulnNot vulnNot vulnNot vulnsource
AcronisCyber Backup12.5Not vulnNot vulnNot vulnNot vulnsource
AcronisCyber Files8.6.2 onwardsNot vulnNot vulnNot vulnNot vulnsource
AcronisCyber Infrastructure3.5 and 4.xNot vulnNot vulnNot vulnNot vulnsource
AcronisCyber Protect15Not vulnNot vulnNot vulnNot vulnsource
AcronisCyber Protection Home Office2017 onwardsNot vulnNot vulnNot vulnNot vulnsource
AcronisDeviceLock DLP9.0Not vulnNot vulnNot vulnNot vulnsource
AcronisFiles Connect10.7 onwardsNot vulnNot vulnNot vulnNot vulnsource
AcronisMassTransit8.1 and 8.2Not vulnNot vulnNot vulnNot vulnsource
AcronisSnap Deploy5 and 6Not vulnNot vulnNot vulnNot vulnsource
ActiveStateAllActiveState Blog Post
Acunetix360AllNot vulnsource
AcunetixAgentsAllNot vulnsource
AcunetixApplicationAllNot vulnsource
AcunetixIAST: ASP. NETAllNot vulnsource
AcunetixIAST: JavaAllNot vulnWorkaroundAcuSensor IAST module needs attentionsource
AcunetixIAST: NodeJSAllNot vulnsource
AcunetixIAST: PHPAllNot vulnsource
AdaptecAllAdaptec Link
AddigyAllAddigy Blog Post
AdeptiaAllAdeptia Article
AdeptiaConnect3.3WorkaroundWorkaroundWorkaroundAdvisory mentioned only log4j2 and not the CVEsource
AdeptiaConnect3.4, 3.5WorkaroundWorkaroundWorkaroundAdvisory mentioned only log4j2 and not the CVEsource
AdeptiaSuite6.9.10, 6.9.11WorkaroundWorkaroundWorkaroundAdvisory mentioned only log4j2 and not the CVEsource
AdeptiaSuite6.9.9WorkaroundWorkaroundWorkaroundAdvisory mentioned only log4j2 and not the CVEsource
AdobeAcrobat ReaderNot vulnsource
AdobeAllInvestigationsource
AdobeAutomated Forms Conversion ServiceVulnerablesource
AdobeColdFusionAllNot vulnFixhttps://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html Patched on Dec 17thsource
AdobeExperience Manager 6.3 Forms on JEEall versions from 6.3 GA to 6.3.3Not vulnWorkaroundsource
AdobeExperience Manager 6.4 Forms DesignerVulnerablesource
AdobeExperience Manager 6.4 Forms on JEEall versions from 6.4 GA to 6.4.8Not vulnWorkaroundsource
AdobeExperience Manager 6.5 Forms DesignerNot vulnFixsource
AdobeExperience Manager 6.5 Forms on JEEall versions from 6.5 GA to 6.5.11Not vulnWorkaroundsource
AdobeExperience Manager Forms on OSGiAllNot vulnNot vulnNot vulnNot vulnsource
AdobeExperience Manager Forms WorkbenchAllNot vulnNot vulnNot vulnNot vulnsource
Adobe ColdFusionAllAdobe ColdFusion Link
ADPAllInvestigationPatching were needed, no signs of intrusionsource
Advanced Systems Concepts (formally Jscape)Active MFTNot vulnNot vulnNot vulnNot vulnThis advisory is available to customers only and has not been reviewed by CISALog4J Vulnerabilty
Advanced Systems Concepts (formally Jscape)MFTNot vulnNot vulnNot vulnNot vulnThis advisory is available to customers only and has not been reviewed by CISALog4J Vulnerabilty
Advanced Systems Concepts (formally Jscape)MFT GatewayNot vulnNot vulnNot vulnNot vulnThis advisory is available to customers only and has not been reviewed by CISALog4J Vulnerabilty
Advanced Systems Concepts (formally Jscape)MFT ServerNot vulnNot vulnNot vulnNot vulnThis advisory is available to customers only and has not been reviewed by CISALog4J Vulnerabilty
AFASAllNot vulnNot vulnNot vulnNot vulnsource
AFAS SoftwareAllAFAS Software Link
AFHCAN Global LLCAFHCANcart8.0.7 - 8.4.3Not vulnNot vulnNot vulnNot vulnsource
AFHCAN Global LLCAFHCANmobile8.0.7 - 8.4.3Not vulnNot vulnNot vulnNot vulnsource
AFHCAN Global LLCAFHCANServer8.0.7 - 8.4.3Not vulnNot vulnNot vulnNot vulnsource
AFHCAN Global LLCAFHCANsuite8.0.7 - 8.4.3Not vulnNot vulnNot vulnNot vulnsource
AFHCAN Global LLCAFHCANupdate8.0.7 - 8.4.3Not vulnNot vulnNot vulnNot vulnsource
AFHCAN Global LLCAFHCANweb8.0.7 - 8.4.3Not vulnNot vulnNot vulnNot vulnsource
AgilysysAllAgilysys Link
AhsayMobileversion 1.6+Not vulnNot vulnNot vulnNot vulnsource
AhsayOther productsversion 8.5.4.86 (and above)Not vulnNot vulnNot vulnNot vulnsource
AhsayPRDversion 2.0Not vulnNot vulnNot vulnNot vulnsource
AidenAllAllNot vulnNot vulnNot vulnNot vulnsource
AILAllAllNot vulnNot vulnNot vulnNot vulnsource
AkamaiEnterprise Application Access (EAA) connectorNot vulnNot vulnNot vulnNot vuln
AkamaiSiem Integration Connector<1.7.4Not vulnFixFixFixAkamai SIEM Integration Connector is vulnerable to CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.source
AkamaiSiem Splunk Connector=>1.4.10Not vulnNot vulnNot vulnNot vulnv1.4.11 is the new recommendation for mitigation of log4j vulnerabilities.source
AkamaiSiem Splunk Connector<1.4.10Not vulnWorkaroundAkamai SIEM Integration Connector for Splunk is not vulnerable to CVE-2021-44228. Although it includes the vulnerable Log4J component, it is not used by the connector.source
AlcatelAllAlcatel Link
AlertusConsole5.15.0Not vulnFixsource
AlexionAllAlexion Blog Post
Alexion SoftwareAlexion CRMAllNot vulnNot vulnNot vulnNot vulnsource
Alfresco (Hyland)AlfrescoAllNot vulnAlfresco Blog Post
AlienVaultAllAlienVault Article Link
AlphatronAMiSconnectNot vulnsource
AlphatronCusto diagnostics5.4 to 5.6VulnerablePotentially vulnerable through the HL7 and DICOM communication interfacessource
AlphatronJiveXNot vulnsource
AlphatronZorgberichtNot vulnsource
Alphatron MedicalAllAlphatron Medical Website
AmazonAMSNot vulnFixWork in progress, portion of customers may still be vulnerable. Actively monitoring this issue, and are working on addressing it for any AMS services which use Log4j2source
AmazonAPI GatewayNot vulnFixsource
AmazonAthenaNot vulnFixsource
AmazonAthena JDBC driverNot vulnNot vulnNot vulnNot vulnAll versions vended to customers were not affectedsource
AmazonAWSLinux 1,2Not vulnNot vulnNot vulnNot vulnNotes: Amazon Linux 1 had aws apitools which were Java based but these were deprecated in 2015 https://forums.aws.amazon.com/thread.jspa?threadID=323611 AWS Forum. AMIs used to inspect and verify (base spin ups) - amzn-ami-hvm-2018.03.0.20200318.1-x86_64-gp2 and amzn2-ami-kernel-5.10-hvm-2.0.20211201.0-x86_64-gp2
AmazonAWS API GatewayAllNot vulnFixAmazon AWS Link
AmazonAWS AppFlowNot vulnFixsource
AmazonAWS AppSyncNot vulnFixUpdated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046source
AmazonAWS AWS Certificate ManagerNot vulnFixsource
AmazonAWS AWS Certificate Manager Private CANot vulnFixsource
AmazonAWS AWS Service CatalogNot vulnFixsource
AmazonAWS CloudHSM3.4.1Not vulnFixCloudHSM JCE SDK 3.4.1 or higher is not vulnerablesource
AmazonAWS CodeBuildNot vulnFixUpdated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046source
AmazonAWS CodePipelineNot vulnFixUpdated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046source
AmazonAWS ConnectAllNot vulnFixVendors recommend evaluating components of the environment outside of the Amazon Connect service boundary, which may require separate/additional customer mitigationVendor Link
AmazonAWS Directory ServiceNot vulnFixsource
AmazonAWS DynamoDBNot vulnFixUpdate for Apache Log4j2 Issue (CVE-2021-44228)
AmazonAWS EKS, ECS, FargateNot vulnFixTo help mitigate the impact of the open-source Apache “Log4j2"" utility (CVE-2021-44228 and CVE-2021-45046) security issues on customers’ containers, Amazon EKS, Amazon ECS, and AWS Fargate are deploying a Linux-based update (hot-patch). This hot-patch will require customer opt-in to use, and disables JNDI lookups from the Log4J2 library in customers’ containers. These updates are available as an Amazon Linux package for Amazon ECS customers, as a DaemonSet for Kubernetes users on AWS, and will be in supported AWS Fargate platform versionsUpdate for Apache Log4j2 Issue (CVE-2021-44228)
AmazonAWS Elastic BeanstalkNot vulnNot vulnNot vulnNot vulnDefault configuration of application's usage of Log4j versions is not vulnerablesource
AmazonAWS ElastiCacheNot vulnFixUpdate for Apache Log4j2 Issue (CVE-2021-44228)
AmazonAWS ELBNot vulnFixUpdate for Apache Log4j2 Issue (CVE-2021-44228)
AmazonAWS FargateNot vulnNot vulnNot vulnNot vulnOpt-in hot-patch to mitigate the Log4j issue in JVM layer will be available as platform versionssource hotpatch
AmazonAWS GlueNot vulnFixHas been updated. Vulnerable only if ETL jobs load affected versions of Apache Log4jsource
AmazonAWS GreengrassNot vulnFixUpdates for all Greengrass V2 components Stream Manager (2.0.14) and Secure Tunneling (1.0.6) are available. For Greengrass versions 1.10.x and 1.11.x, an update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5source
AmazonAWS InspectorNot vulnFixUpdate for Apache Log4j2 Issue (CVE-2021-44228)
AmazonAWS IoT SiteWise EdgeNot vulnFixUpdates for all AWS IoT SiteWise Edge components that use Log4j were made available; OPC-UA collector (v2.0.3), Data processing pack (v2.0.14), and Publisher (v2.0.2)source
AmazonAWS Kinesis Data StreamNot vulnFixWe are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher)Update for Apache Log4j2 Issue (CVE-2021-44228)
AmazonAWS KMSNot vulnFixsource
AmazonAWS LambdaNot vulnFixVulnerable when using aws-lambda-java-log4j2source
AmazonAWS PollyNot vulnFixsource
AmazonAWS QuickSightNot vulnFixsource
AmazonAWS RDSNot vulnFixAmazon RDS and Amazon Aurora have been updated to mitigate the issues identified in CVE-2021-44228Update for Apache Log4j2 Issue (CVE-2021-44228)
AmazonAWS S3Not vulnFixUpdate for Apache Log4j2 Issue (CVE-2021-44228)
AmazonAWS SDKNot vulnNot vulnNot vulnNot vulnsource
AmazonAWS Secrets ManagerNot vulnFixsource
AmazonAWS SNSNot vulnFixAmazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer trafficUpdate for Apache Log4j2 Issue (CVE-2021-44228)
AmazonAWS SQSNot vulnFixUpdate for Apache Log4j2 Issue (CVE-2021-44228)
AmazonAWS Systems ManagerNot vulnFixsource
AmazonAWS Systems Manager AgentNot vulnNot vulnNot vulnNot vulnsource
AmazonAWS TextractNot vulnFixsource
AmazonChimeNot vulnFixAmazon Chime and Chime SDK services have been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046source
AmazonCloud DirectoryNot vulnFixsource
AmazonCloudFrontNot vulnFixsource
AmazonCloudWatchNot vulnFixsource
AmazonCognitoNot vulnFixsource
AmazonConnectNot vulnFixsource
AmazonCorrettoNot vulnNot vulnNot vulnNot vuln10/19 release distribution does not include Log4j. Vulnerable only if customer's applications use affected versions of Apache Log4jsource
AmazonDocumentDBNot vulnFixsource
AmazonDynamoDBNot vulnFixDynamoDB and DynamoDB Accelerator have been updatedsource
AmazonEC2Not vulnFixPackages for Amazon Linux 1 and 2 not affected, package for Amazon Linux 2022 issource fix
AmazonECR PublicNot vulnFixAmazon-owned images published under a Verified Account on Amazon ECR Public are not affected by the Log4j issuesource
AmazonECSNot vulnNot vulnNot vulnNot vulnAs an Amazon Linux package, opt-in hot-patch to mitigate the Log4j issue in JVM layer is availablesource hotpatch
AmazonEKSNot vulnNot vulnNot vulnNot vulnAs a DaemonSet, opt-in hot-patch to mitigate the Log4j issue in JVM layer is availablesource hotpatch
AmazonElastic Load BalancingNot vulnFixServices have been updated. All Elastic Load Balancers, as well as Classic, Application, Network and Gateway, are not affected by this Log4j issuesource
AmazonElastiCacheNot vulnFixsource
AmazonEMRNot vulnFixMany customers are estimated to be vulnerable. Vulnerable only if affected EMR releases are used and untrusted sources are configured to be processedsource
AmazonEventBridgeNot vulnFixsource
AmazonFraud DetectorNot vulnFixsource
AmazonInspectorNot vulnFixsource
AmazonInspector ClassicNot vulnFixsource
AmazonKafka (MSK)Not vulnFixApplying updates as required, portion of customers may still be vulnerable. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where neededsource
AmazonKendraNot vulnFixsource
AmazonKeyspaces (for Apache Cassandra)Not vulnFixsource
AmazonKinesisNot vulnFixUpdate for Kinesis Agent is availablesource
AmazonKinesis Data AnalyticsNot vulnFixUpdates are available. See source for more informationsource
AmazonKinesis Data StreamsNot vulnFixKCL 2.x, KCL 1.14.5 or higher, and KPL are not vulnerablesource
AmazonLake FormationNot vulnFixUpdate in progress, portion of customers may still be vulnerable. AWS Lake Formation service hosts are being updated to the latest version of Log4jsource
AmazonLexNot vulnFixsource
AmazonLinux 1 (AL1)Not vulnNot vulnNot vulnNot vulnBy default not vulnerable. Opt-in hot-patch to mitigate the Log4j in JVM layer issue is availablesource hotpatch
AmazonLinux 2 (AL2)Not vulnFixBy default not vulnerable, and a new version of Amazon Kinesis Agent which is part of AL2 addresses the Log4j issue. Opt-in hot-patch to mitigate the Log4j issue in JVM layer is availablesource hotpatch
AmazonLookout for EquipmentNot vulnFixsource
AmazonMacieNot vulnFixsource
AmazonMacie ClassicNot vulnFixsource
AmazonManaged Workflows for Apache Airflow (MWAA)Not vulnFixsource
AmazonMemoryDB for RedisNot vulnFixsource
AmazonMonitronNot vulnFixsource
AmazonMQNot vulnFixsource
AmazonNeptuneNot vulnFixsource
AmazonNICENot vulnFixRecommended to update EnginFrame or Log4j librarysource
AmazonOpenSearchR20211203-P2Not vulnFixUpdate released, customers need to update their clusters to the fixed releasesource
AmazonPinpointNot vulnFixsource
AmazonRDSRolling update has completedNot vulnFixsource
AmazonRDS AuroraRolling update has completedNot vulnFixsource
AmazonRDS for OracleNot vulnFixsource
AmazonRedshiftNot vulnFixsource
AmazonRekognitionNot vulnFixsource
AmazonRoute53Not vulnFixsource
AmazonS3Not vulnFixsource
AmazonSageMakerNot vulnFixCompleted patching for the Apache Log4j2 issue (CVE-2021-44228). Vulnerable only if customer's applications use affected versions of Apache Log4jsource
AmazonSimple Notification Service (SNS)Not vulnFixSystems that serve customer traffic are patched against the Log4j2 issue. Working to apply the patch to sub-systems that operate separately from SNS’s systems that serve customer traffic.source
AmazonSimple Queue Service (SQS)Not vulnFixsource
AmazonSimple Workflow Service (SWF)Not vulnFixsource
AmazonSingle Sign-OnNot vulnFixsource
AmazonStep FunctionsNot vulnFixsource
AmazonTimestreamNot vulnFixsource
AmazonTranslateNot vulnNot vulnNot vulnNot vulnService not identified on https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ AWS Log4j Security BulletinAmazon Translate
AmazonVPCNot vulnFixsource
AmazonWorkSpaces/AppStream 2.0Not vulnFixNot affected with default configurations. WorkDocs Sync client versions 1.2.895.1 and older within Windows WorkSpaces, which contain the Log4j component, are vulnerable; For update instruction, see source for more infosource
AMDAllNot vulnNot vulnNot vulnNot vulnCurrently, no AMD products have been identified as affected. AMD is continuing its analysis.AMD Advisory Link
AnacondaAll4.10.3Not vulnNot vulnNot vulnNot vulnsource
AOMEIAllNot vulnsource
ApacheActiveMQ ArtemisAllNot vulnNot vulnNot vulnNot vulnActiveMQ Artemis does not use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. /cisagov/log4j-affected-db/blob/develop/web/console.war/WEB-INF/lib"">web/console.war/WEB-INF/lib). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive. See https://issues.apache.org/jira/browse/ARTEMIS-3612 ARTEMIS-3612 for more information on that task.ApacheMQ - Update on CVE-2021-4428
ApacheAirflowNot vulnNot vulnNot vulnNot vulnAirflow is written in PythonApache Airflow
ApacheArchiva<2.2.6Not vulnFixFixed in 2.2.6source fix
ApacheCamelAllNot vulnNot vulnNot vulnNot vulnsource
ApacheCamel 2Not vulnNot vulnNot vulnNot vulnAPACHE CAMEL AND CVE-2021-44228 (LOG4J)
ApacheCamel JBang<=3.1.4VulnerableAPACHE CAMEL AND CVE-2021-44228 (LOG4J)
ApacheCamel KNot vulnNot vulnNot vulnNot vulnAPACHE CAMEL AND CVE-2021-44228 (LOG4J)
ApacheCamel KarafVulnerableThe Karaf team is aware of this and are working on a new Karaf 4.3.4 release with updated log4j.APACHE CAMEL AND CVE-2021-44228 (LOG4J)
ApacheCamel QuarkusNot vulnNot vulnNot vulnNot vulnAPACHE CAMEL AND CVE-2021-44228 (LOG4J)
ApacheCamelKafka ConnectorNot vulnNot vulnNot vulnNot vulnAPACHE CAMEL AND CVE-2021-44228 (LOG4J)
ApacheCassandraAllNot vulnNot vulnNot vulnNot vulnsource
ApacheDruid0.22.1Not vulnFixsource
ApacheDubboAllNot vulnFixsource
ApacheFlink1.15.0, 1.14.2, 1.13.5, 1.12.7, 1.11.6Not vulnFixsource
ApacheFortress< 2.0.7Not vulnFixFixed in 2.0.7source
ApacheGeode1.14.0Not vulnFixFixed in 1.12.6, 1.13.5, 1.14.1source
ApacheGuacamoleAllNot vulnNot vulnNot vulnNot vulnsource
ApacheHadoopNot vulnNot vulnNot vulnNot vulnUses log4j 1.x. Are https://issues.apache.org/jira/plugins/servlet/mobile#issue/HADOOP-12956 plans to migrate to log4j2 but never performedsource
ApacheHBaseVulnerableFix is committed, but not yet releasedsource
ApacheHive4.xNot vulnFixFix in 4.xsource
ApacheJames3.6.0Vulnerablesource
ApacheJena< 4.3.1Not vulnFixFixed in 4.3.1source
ApacheJMeterAnyVulnerableManual Bypasssource
ApacheJSPWiki2.11.1Not vulnFixsource
ApacheKafkaAllWorkaroundNot vulnNot vulnNot vulnUses Log4j 1.2.17source
ApacheKarafVulnerableDepends on https://github.com/ops4j/org.ops4j.pax.logging/issues/414"">PAX logging which is affectedsource
ApacheLog4j< 2.15.0Not vulnFixLog4j – Apache Log4j Security Vulnerabilities
ApacheLog4j 1.xAllWorkaroundNot vulnNot vulnNot vulnsource
ApacheLog4j 22.3.1, 2.12.3, 2.17.0Not vulnFixFixFixsource
ApacheMavenAllNot vulnsource
ApacheNiFiAllNot vulnFixFixed in 1.15.1, 1.16.0source
ApacheOFBiz< 18.12.03Not vulnFixFixed in 18.12.03source
ApacheOzone< 1.2.1Not vulnFixFixed in 1.2.1source
ApacheSkyWalking< 8.9.1Not vulnFixFixed in 8.9.1source
ApacheSOLR7.4.0 to 7.7.3, 8.0.0 to 8.11.0Not vulnFixFixed in 8.11.1, Versions before 7.4 also vulnerable when using several configurationssource
ApacheSparkAllNot vulnNot vulnNot vulnNot vulnUses log4j 1.xsource
ApacheStruts2.5.28Vulnerablesource
ApacheStruts 2Versions before 2.5.28.1Not vulnFixThe Apache Struts group is pleased to announce that Struts 2.5.28.1 is available as a “General Availability” release. The GA designation is our highest quality grade. This release addresses Log4j vulnerability CVE-2021-45046 by using the latest Log4j 2.12.2 version (Java 1.7 compatible).Apache Struts Announcements
ApacheTapestry5.7.3VulnerableUses Log4jsource
ApacheTika2.0.0 and upVulnerablesource
ApacheTomcatNot vulnNot vulnNot vulnNot vulnsource
ApacheTrafficControlVulnerablesource
ApacheZookeeperNot vulnNot vulnNot vulnNot vulnZookeeper uses Log4j 1.2 versionsource
ApereoCAS6.3.x & 6.4.xNot vulnFixOther versions still in active maintainance might need manual inspectionsource
ApereoOpencast< 9.10, < 10.6Not vulnFixsource
ApigeeEdge and OPDK productsAll versionNot vulnNot vulnNot vulnNot vulnsource
ApolloAllApollo Community Link
AppdynamicsAllAppdynamics Advisory Link
AppeonPowerBuilderAppeon PowerBuilder 2017-2021 regardless of product editionVulnerable
AppGateAllAppGate Blog Post
AppianAllNot vulnFixsource
AppianPlatformAllNot vulnFixKB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)
Application Performance LtdDBMarlinNot Affected
Application Performance LtdDBMarlinNot vulnNot vulnNot vulnNot vulnCommon Vulnerabilities Apache log4j Vulnerability CVE-2021-4428
APPSHEETAllAPPSHEET Community Link
AptibleAllSearch 5.xNot vulnFixsource
Aqua SecurityAllAqua Security Google Doc
Arbiter SystemsAllNot vulnNot vulnNot vulnNot vulnArbiter Systems Advisory Link
Arca NoaeAllArca Noae Link
ArcserveBackupAllNot vulnNot vulnNot vulnNot vulnsource
ArcserveContinuous AvailabilityAllNot vulnNot vulnNot vulnNot vulnsource
ArcserveEmail ArchivingAllNot vulnNot vulnNot vulnNot vulnsource
ArcserveShadowProtectAllNot vulnNot vulnNot vulnNot vulnsource
ArcserveShadowXafeAllNot vulnNot vulnNot vulnNot vulnsource
ArcserveSoloAllNot vulnNot vulnNot vulnNot vulnsource
ArcserveStorageCraft OneXafeAllNot vulnNot vulnNot vulnNot vulnsource
ArcserveUDP6.5-8.3Not vulnNot vulnNot vulnNot vulnsource
ArcticWolfAllArcticWolf Blog Post
ArduinoIDE1.8.17Not vulnFixsource
AribaAllAriba Annoucement
AristaAllArista Advisory Notice
Arista NetworksAnalytics Node for Converged Cloud Fabric (formerly Big Cloud Fabric)>7.0.0Vulnerablesource
Arista NetworksAnalytics Node for DANZ Monitoring Fabric (formerly Big Monitoring Fabric)>7.0.0Vulnerablesource
Arista NetworksCloudVision Portal>2019.1.0Vulnerablesource
Arista NetworksCloudVision Wi-Fi, virtual appliance or physical appliance>8.8Vulnerablesource
Arista NetworksEmbedded Analytics for Converged Cloud Fabric (formerly Big Cloud Fabric)>5.3.0Vulnerablesource
Aruba NetworksIntroSpectversions 2.5.0.0 to 2.5.0.6Fixadvbisory
Aruba NetworksAirWave Management PlatformNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksAnalytics and Location EngineNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksArubaOS Wi-Fi Controllers and GatewaysNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksArubaOS SD-WAN GatewaysNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksArubasOS-CX SwitchesNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksArubasOS-S SwitchesNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksCentral / Central On-PremisesNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksClearPass Policy ManagerNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksEdgeConnectNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksFabric Composer (AFC) and Plexxi Composable Fabrice Manager (CFM)Not vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksHP ProCurve SwitchesNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksInstant / Instant Access PointsNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksInstant OnNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksLegacy GMS productsAllFixFixFixadvbisory
Aruba NetworksLegacy NX, VX, VRXNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksNetEditNot vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksSilver Peak OrchestratorAllFixFixFixadvbisory
Aruba NetworksUser Experience Insight (UXI)Not vulnNot vulnNot vulnNot vulnadvbisory
Aruba NetworksVIA ClientsNot vulnNot vulnNot vulnNot vulnadvbisory
AtaccamaAllAtaccama Link
AteraAllAtera Link
AtlassianBamboo Server & Data CenterOn premVulnerableOnly vulnerable when using non-default config, cloud version fixedsource
AtlassianBitBucket ServerOn premNot vulnWorkaroundsource
AtlassianBitbucket Server & Data CenterAllNot vulnFixThis product is not vulnerable to remote code execution but may leak information due to the bundled Elasticsearch component being vulnerable.Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228
AtlassianConfluence Server & Data CenterOn premVulnerableOnly vulnerable when using non-default config, cloud version fixedsource
AtlassianConfluence-CIS CSAT Prov1.7.1Vulnerablesource
AtlassianConfluence-CIS WorkBenchNot vulnsource
AtlassianConfluence-CIS-CAT Litev4.13.0Vulnerablesource
AtlassianConfluence-CIS-CAT Pro Assessor v3 Full and Dissolvablev3.0.77Vulnerablesource
AtlassianConfluence-CIS-CAT Pro Assessor v4v4.13.0Vulnerablesource
AtlassianConfluence-CIS-CAT Pro Assessor v4 Servicev1.13.0Vulnerablesource
AtlassianConfluence-CIS-CAT Pro DashboardNot vulnsource
AtlassianConfluence-CIS-Hosted CSATNot vulnsource
AtlassianCrowd Server & Data CenterOn premVulnerableOnly vulnerable when using non-default config, cloud version fixedsource
AtlassianCrucibleOn premVulnerableOnly vulnerable when using non-default config, cloud version fixedsource
AtlassianFisheyeOn premVulnerableOnly vulnerable when using non-default config, cloud version fixedsource
AtlassianJira Server & Data CenterOn premVulnerableOnly vulnerable when using non-default config, cloud version fixedsource
Attivo networksAllAttivo Networks Advisory
AudioCodesAllAudioCodes Link
AutodeskAllInvestigationsource
Automation AnywhereAutomation 360 CloudNot vulnFixsource
Automation AnywhereAutomation 360 On PremiseNot vulnWorkaroundsource
Automation AnywhereAll11.3.xNot vulnNot vulnNot vulnNot vulnsource
Automation AnywhereAll11.x, <11.3.xNot vulnWorkaroundWorkaroundWorkaroundsource
AutomoxAllAutomox Blog Post
AutopsyAllAutopsy Link
AuvikAllAuvik Status Link
Avantra SYSLINKAllAvantra SYSLINK Article
AvayaAllsource
AvayaAnalytics3.5, 3.6, 3.6.1, 3.7, 4VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaAura for OneCloud PrivateVulnerableAvaya is scanning and monitoring its OneCloud Private environments as part of its management activities. Avaya will continue to monitor this fluid situation and remediations will be made as patches become available, in accordance with appropriate change processes.Apache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaAura® Application Enablement Services8.1.3.2, 8.1.3.3, 10.1VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaAura® Contact Center7.0.2, 7.0.3, 7.1, 7.1.1, 7.1.2VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaAura® Device Services8.0.1, 8.0.2, 8.1.3VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaAura® Device Services8, 8.1, 8.1.4, 8.1.5VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaAura® Media Server8.0.0, 8.0.1, 8.0.2VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaAura® Presence Services10.1, 7.1.2, 8, 8.0.1, 8.0.2, 8.1, 8.1.1, 8.1.2, 8.1.3, 8.1.4VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaAura® Session Manager10.1, 7.1.3, 8, 8.0.1, 8.1, 8.1.1, 8.1.2, 8.1.3VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaAura® System Manager10.1, 8.1.3VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaAura® Web Gateway3.11[P], 3.8.1[P], 3.8[P], 3.9.1 [P], 3.9[P]VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaBreeze™3.7, 3.8, 3.8.1VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaBusiness Rules Engine3.4, 3.5, 3.6, 3.7VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaCallback Assist5, 5.0.1VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaContact Center Select7.0.2, 7.0.3, 7.1, 7.1.1, 7.1.2VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaControl Manager9.0.2, 9.0.2.1VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaCRM Connector - Connected Desktop2.2VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaDevice Enablement Service3.1.22VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaDevice Enrollment Service3.1VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaEquinox™ Conferencing9.1.2VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaInteraction Center7.3.9VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaIP Office™ Platform11.0.4, 11.1, 11.1.1, 11.1.2VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaMeetings9.1.10, 9.1.11, 9.1.12VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
Avayaone cloud private -UCaaS - Mid Market Aura1VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaOneCloud-Private2VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaProactive Outreach Manager3.1.2, 3.1.3, 4, 4.0.1VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaSession Border Controller for Enterprise8.0.1, 8.1, 8.1.1, 8.1.2, 8.1.3Not vulnFixApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaSocial Media HubVulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AvayaWorkforce Engagement5.3VulnerableApache Log4J Vulnerability - Impact for Avaya products Avaya Product Security
AVEPOINTAllAVEPOINT Notification
AVMAlldevices, firmware, software incl. MyFritz ServiceNot vulnsource
AvTech RoomAlertAllAvTech RoomAlert Article
AWS NewAllAWS New Security Bulletin
AXISOSAllNot vulnsource
AXONAllAXON Link
AXS GuardAllAXS Guard Blog Post
Axways ApplicationsAllAxways Applications Link