Impact of log4j vulnerability with AppDynamics

CVE-2021-44228: This vulnerability was publicly disclosed by the Apache Log4j Security Vulnerabilities announcement on December 9, 2021.

CVE-2021-45046: This vulnerability was publicly disclosed by the Apache Log4j Security Vulnerabilities announcement on December 14, 2021.

CVSS Scores

Base 10.0 (CVE-2021-44228)

Base 9.0 (CVE-2021-45046)

Products Confirmed Not Vulnerable as per vendor

AppDynamics has confirmed that the following products are not affected by CVE-2021-44228 and CVE-2021-45046:

  • .NET Agent
  • ABAP Agent (SAP ABAP Monitoring)
  • Analytics Agent
  • Browser Real User Monitoring (BRUM)›
  • C/C++ SDK Agent
  • Cluster Agent
  • EUM GeoServer
  • EUM Server
  • Events Service (On-Prem)
  • Go Language SDK Agent
  • IBM Integration Bus Agent (IIB) Agent
  • IoT Device SDKs (C/C++, Java, REST API)
  • Machine Agent Extensions
  • Mobile RUM Agent
  • Network Agent
  • Ruby Agent
  • Synthetic Private Agent (Linux-based)
  • Synthetic Private Agent (Windows-based)
  • Synthetic Server

Fixed Releases

CVE-2021-44228 and CVE-2021-45046 have been fixed in the following releases. See the AppDynamics Download Portal at https://download.appdynamics.com.

  • Apache Web Server Agent 21.12.1
  • Database Agent 21.12.1 
  • Enterprise Console 21.4.10
  • Java Agent JDK 8+ 21.11.2
  • Java Agent Legacy – IBM JVM 21.11.2
  • Java Agent Legacy – Sun and JRockit 21.11.2
  • Machine Agent for Windows 21.12.2
  • Machine Agent for all other Operating Systems 21.12.1
  • PHP Agent 21.12.1 
  • Python Agent 21.12.1 
  • ServiceNow Utility (AppDynamics CMDB Integration) 21.12.1

Customers who are unable to upgrade to a fixed release should implement any mitigation steps for the below products .

Apache Web Server Agent

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.

AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).

No mitigation has been tested for this product at this time. 

Controller (On-Premises)

See “Enterprise Console / Controller (On-Premises)” below.

Database Agent

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.

AppDynamics recommends customers upgrade to version 21.12.1 (or higher). 

Enterprise Console / Controller (On-Premises)

The On-Prem Enterprise Console / Controller includes a Java Agent. The Java Agent included in Enterprise Console prior to 21.4.10 was vulnerable to CVE-2021-44228 and CVE-2021-45046.

AppDynamics recommends that customers upgrade to version 21.4.10 (or higher).

Customers who are unable to upgrade can mitigate the risk of these vulnerabilities in two ways:

  • Option A: Upgrade the Controller’s Java Agent to Java Agent JDK8+ 21.11.2. See Upgrade the Java Agent in our Docs for detailed steps. The Controller’s Java Agent is installed in the following directory:

<controller-directory>/appserver/glassfish/domains/domain1/appagent

  • Option B: Perform the mitigation steps documented below for the Java Agent.

Java Agent

Java Agent JDK 8+

Versions prior to 21.11.1 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.11.2 are vulnerable to CVE-2021-45046.

AppDynamics recommends that customers using Java Agent JDK 8+ upgrade to Java Agent JDK 8+ 21.11.2 (or higher).

(Please Note: Java Agent JDK8+ does not support JDK6 or JDK7)

Java Agent Legacy – Sun and JRockit

All versions configured for JDK6, not vulnerable as this configuration uses Log4j 1.x.

Versions prior to 21.11.2 configured for JDK7 or above are vulnerable to CVE-2021-44228 and CVE-2021-45046.

AppDynamics recommends that customers using Java Agent Legacy – Sun and JRockit upgrade to Java Agent Legacy – Sun and JRockit 21.11.2.

Java Agent Legacy – IBM JVM

All versions configured for JDK6, not vulnerable as this configuration uses Log4j 1.x.

Versions prior to 21.11.2 configured for JDK7 or above, vulnerable to CVE-2021-44228 and CVE-2021-45046.

AppDynamics recommends that customers using Java Agent Legacy – IBM JVM upgrade to Java Agent Legacy – IBM JVM 21.11.2 (or higher).

Mitigation for Java Agent

Applies to Java Agent JDK 8+, Java Agent Legacy – Sun and JRockit, and Java Agent Legacy – IBM JVM

Customers who cannot upgrade to a fixed release of Java Agent may mitigate this risk by removing the JndiLookup class. The following command should be executed in the <version>/lib/tp directory where the agent is installed: 

zip -dq log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

This change requires a restart of the application.

Machine Agent

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.

AppDynamics recommends that customers running on Windows upgrade to version 21.12.2 (or higher).

AppDynamics recommends that customers upgrade to version 21.12.1 (or higher) for all other Operating Systems.

Customers who are unable to upgrade can mitigate the risk from this vulnerability by executing the following command in the Machine Agent install directory:

zip -dq lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

This change requires a restart of the Machine Agent.

Node.js Agent

Versions prior to 21.9 are vulnerable to CVE-2021-44228 and CVE-2021-45046 only if the Java Proxy is enabled. (The Java Proxy is off by default in Node.js Agent 4.5.16 and later.)

Customers running Node.js with the proxy enabled can mitigate this vulnerability by making one of the following two changes:

  • Option A: Disable the Java Proxy: 
    -Node.js versions 4.5.16 and later: Remove “proxy:true” from the agent configuration (this is the default configuration)
    -Node.js versions prior to 4.5.16: Set “libagent:true” in the agent configuration
  • Option B: Removing the JndiLookup class from the classpath. The following command should be executed in the <version>/lib/tp directory where the agent is installed: zip -dq log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.classThis change requires a restart of the application.

PHP Agent

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.

AppDynamics recommends that customers upgrade to version 21.12.1 (or higher).

No mitigation has been tested for this product at this time.

Python Agent

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

Versions prior to 21.12.1 are vulnerable to CVE-2021-45046.

AppDynamics recommends that customers upgrade to version 21.12.1 (or higher). 

No mitigation has been tested for this product at this time.

ServiceNow Utility (AppDynamics CMDB Integration)

Versions prior to 21.12.0 are vulnerable to CVE-2021-44228 and CVE-2021-45046.

AppDynamics recommends that customers upgrade to version 21.12.1 (or higher). 

For more details look for the Security Advisory: Apache Log4j Vulnerability .

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *