- #Solarwinds news install#
- #Solarwinds news update#
- #Solarwinds news software#
- #Solarwinds news code#
We have not identified any other SolarWinds products as affected by this vulnerability. The only two SolarWinds products we have identified as affected by this vulnerability are Server & Application Monitor (SAM) and Database Performance Analyzer (DPA). The following SolarWinds products utilize an affected version of Apache Log4j in their codebase:įirst, it’s important to note the Orion Platform core is not affected and does not utilize Apache Log4j.
#Solarwinds news software#
This is a well-known vulnerability affecting numerous software companies.
#Solarwinds news code#
"Subscribe to this RSS Feed" URL into an RSS Feed Reader, e.g., Outlook's RSS Subscriptions, to monitor updates).ĭecember 9, 2021, the Apache Software Foundation released Log4j 2.15.0 to resolve a critical remote code execution vulnerability (CVE-2021-44228) affecting versions 2.0-beta9 through 2.14.1.ĭecember 13, 2021, the Apache Software Foundation released Log4j 2.16.0 to disable default access to JNDI lookups and limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects to resolve a vulnerability which could leave an affected system open to a Denial-of-Service (DOS) attack (CVE-2021-45046).ĭecember 17, 2021, the Apache Software Foundation released Log4j 2.17.0 to resolve a Denial-of-Service vulnerability in Apache Log4j2 versions 2.0-alpha1 through 2.16.0, which did not protect from uncontrolled recursion from self-referential lookups (CVE-2021-45105).ĭecember 21, 2021, the National Institute of Standards and Technology (NIST) upgraded CVE-2021-45046 from a severity of 3.7 (Low) as originally reported on December 14, to 9.0 (Critical).ĭecember 28, 2021, the Apache Software released Log4j 2.17.1 to provide significant improvements over its predecessor, Log4j 1.x, and provide many of the improvements available in Logback while fixing some inherent problems in Logback's architecture.Īpache Log4j is a popular Java logging library incorporated into a wide range of enterprise software (including Struts2, Solr, Druid, and Flink).
#Solarwinds news update#
You can Subscribe to this RSS Feed to be notified when we update this page (note: you will need to cut and paste the UPDATE December 13, 2021: NOTE: This security vulnerability only affects Server & Application Monitor (SAM) and Database Performance Analyzer (DPA) and does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. NOTE: SolarWinds products do not use JMSAppender, and are not known to be affected by the vulnerability identified in CVE-2021-4104. UPDATE December 16, 2021: Updated to reflect availability of and support for Log4j 2.16.0 to resolve CVE-2021-45046 vulnerability reported on Log4j.
Guidance for all three CVEs related to the Log4j issue is available on this page: This update also reflects CISA Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability, issued December 17, 2021, and we have posted a new security advisory for CVE-2021-4104. UPDATE December 17, 2021: Updated to announce the availability of the Database Performance Analyzer (DPA) hotfix released today, December 17, 2021, which is available for DPA customers in their Customer Portal at. You can Subscribe to this RSS Feed to be notified when we update this page (note: you will need to cut and paste the "Subscribe to this RSS feed" URL into an RSS Feed Reader, e.g., Outlook's RSS Subscriptions, to monitor updates). UPDATE December 18, 2021: SolarWinds is evaluating the Apache Log4j Denial of Service vulnerability CVE-2021-45105, announced December 18, 2021, and the release of Apache Log4j 2.17. UPDATE December 20, 2021: Updated to announce the availability of the Server & Application Monitor (SAM) hotfix released today, December 20, 2021, which is available for SAM customers in their Customer Portal at. SolarWinds recommends customers of SAM and DPA apply the available hotfixes to their systems, and follow the guidance captured in the accompanying release notes.
We’ve also added new CISA mitigation guidance: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities. Additionally, NIST has upgraded the severity of CVE-2021-45046 from 3.7 Low to 9.0 Critical.
UPDATE December 23, 2021: Updated to announce the availability of the Database Performance Analyzer (DPA) hotfix released December 22, 2021, which is available for DPA customers in their Customer Portal at. The hotfixes are available for DPA customers in their Customer Portal.
#Solarwinds news install#
These hotfixes install version 2.17.1 of the affected files. UPDATE January 14, 2022: Updated to announce the availability of the DPA hotfixes released December 28, 2021. Released: DecemLast updated: January 14, 2022Īssigning CNA: Apache Software Foundation