CVE-2021-44228 - Vulnerability in Apache Log4j library "Log4Shell"
CVE-2021-45046 - Apache Log4j 2.15.0 was incomplete in certain non-default configurations
CVE-2021-4104 - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
CVE-2021-45105 - Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups.
CVE-2021-44832 - Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack
Log4j : Apache Log4j (Log4Shell) security advisory (CVE-2021-44228 , CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, CVE-2021-44832)
Issue
Solution
CVE-2021-44228 , CVE-2021-45046 & CVE-2021-45105 - Across Riverbed’s product portfolio the following products have been identified as vulnerable to all three issues, all other products are not vulnerable per the below table
The Products below are NOT VULNERABLE to any of the covered CVE’s (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, CVE-2021-44832)
- Portal 3.x, UCExpert & SteelConnect EX.
- Resolution Status as of December 22nd, (refer to table below for details)
- Patches haves been made available to address all issues for Portal 3.x and UCExpert.
- Patches are planned for SteelConnect EX with development work in flight to address CVE-2021-45046 and CVE-2021-45105.
- Aternity EuE, Portal 1.x and NetIM 2.x are vulnerable to only CVE-2021-44228 & CVE-2021-45046 and patches have been made available.
CVE-2021-4104 - On further investigation, none of the Riverbed Products based on Log4j 1.x use JMSAppender and hence are not vulnerable
CVE-2021-44832 - On further investigation, all Riverbed Products have been found not vulnerable.
The Products below have been determined VULNERABLE to one or all of the covered CVE’s (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105)
The Products below have been found NOT VULNERABLE for CVE-2021-44832
CVE-2021-44832 - On further investigation, all Riverbed Products have been found not vulnerable.
NOTE: To receive real-time updates on this article, please click the Subscribe icon in the upper left corner of this article. You must be logged into the support site to subscribe. Updates will be emailed to you as they are published. For additional information on how to subscribe, see S22384.
The Products below have been determined VULNERABLE to one or all of the covered CVE’s (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105)
The Products below have been found NOT VULNERABLE for CVE-2021-44832
| Product | CVE-2021-44228 | CVE-2021-45046 | CVE-2021-45105 | CVE-2021-44832 | Latest Patch |
| Aternity | See S35643 for details | ||||
| NetIM 2.x | Patched 17-DEC-2021 |
Patched 17-DEC-2021 |
Not Vulnerable | Not Vulnerable | See S35659 |
| Portal 1.x | Patched 20-DEC-2021 |
Patched 20-DEC-2021 |
Not Vulnerable | Not Vulnerable | See S35666 |
| Portal 2.x, 3.x (all 2.x installs should be updated to v 3.5.2) | Patched 17-DEC-2021 |
Patched 21-DEC-2021 |
Patched 21-DEC-2021 |
Not Vulnerable | See S35667 |
| UCExpert | Patched 16-DEC-2021 |
Patched 16-DEC-2021 |
Patched 21-DEC-2021 |
Not Vulnerable | See S35646 |
| SteelConnect EX Director | New Builds Released 28-DEC-2021 |
New Builds Released 28-DEC-2021 |
New Builds Released 28-DEC-2021 |
Not Vulnerable | See S35647 |
| SteelConnect EX Analytics | New Builds Released 28-DEC-2021 |
New Builds Released 28-DEC-2021 |
New Builds Released 28-DEC-2021 |
Not Vulnerable | See S35647 |
The Products below are NOT VULNERABLE to any of the covered CVE’s (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, CVE-2021-44832)
Product |
Vulnerability Assessment |
| AppResponse11 | Not Vulnerable |
| AppResponse9 (End of Support ) | Not Vulnerable |
| Client Accelerator Controllers and Client Accelerator aka SteelCentral Controller for SteelHead Mobile and SteelHead Mobile) |
Not Vulnerable |
| Flow Gateway | Not Vulnerable |
| FlowTraq | Not Vulnerable |
| Modeler | Not Vulnerable |
| NetAuditor Desktop | Not Vulnerable |
| NetAuditor Web | Not Vulnerable |
| NetCollector | Not Vulnerable |
| NetExpress | Not Vulnerable |
| NetIM 1.x | Not Vulnerable |
| NetIM Test Engine | Not Vulnerable |
| NetPlanner | Not Vulnerable |
| NetProfiler | Not Vulnerable |
| NetShark (End of Support ) | Not Vulnerable |
| Packet Analyzer | Not Vulnerable |
| Packet Analyzer Plus | Not Vulnerable |
| Packet Trace Warehouse | Not Vulnerable |
| Report Server (End of Support ) | Not Vulnerable |
| SaaS Accelerator | Not Vulnerable |
| SteelCentral Authentication Server | Not Vulnerable |
| SteelCentral Controller for SteelHead | Not Vulnerable |
| SteelConnect CX (SteelConnect Manager and all gateway models) |
Not Vulnerable |
| SteelConnect EX FlexVNF | Not Vulnerable |
| SteelFusion Edge | Not Vulnerable |
| SteelFusionCore (appliance, virtual) | Not Vulnerable |
| SteelHead CX (appliance, virtual, cloud) | Not Vulnerable |
| SteelHead EX | Not Vulnerable |
| SteelHead Interceptor | Not Vulnerable |
| Transaction Analyzer | Not Vulnerable |
| Transaction Analyzer Agents | Not Vulnerable |
| WinSec Controller for SteelHead (WSC) | Not Vulnerable |
Related Bugs
Attachments
Related Files
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case