Log4j : Apache Log4j (Log4Shell) security advisory (CVE-2021-44228 , CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, CVE-2021-44832)

Solution Number:
Last Modified:
CVE-2021-44228 - Vulnerability in Apache Log4j library "Log4Shell"
CVE-2021-45046 - Apache Log4j 2.15.0 was incomplete in certain non-default configurations
CVE-2021-4104 - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
CVE-2021-45105 - Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups.
CVE-2021-44832 - Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack 
CVE-2021-44228 , CVE-2021-45046 & CVE-2021-45105 - Across Riverbed’s product portfolio the following products have been identified as vulnerable to all three issues, all other products are not vulnerable per the below table
  • Portal 3.x, UCExpert & SteelConnect EX.
  • Resolution Status as of December 22nd, (refer to table below for details)
    • Patches haves been made available to address all issues for Portal 3.x and UCExpert.
    • Patches are planned for SteelConnect EX with development work in flight to address CVE-2021-45046 and CVE-2021-45105.
  • Aternity EuE, Portal 1.x and NetIM 2.x are vulnerable to only CVE-2021-44228 & CVE-2021-45046 and patches have been made available.
CVE-2021-4104 - On further investigation, none of the Riverbed Products based on Log4j 1.x use JMSAppender and hence are not vulnerable
CVE-2021-44832 - On further investigation, all Riverbed Products have been found not vulnerable.


NOTE: To receive real-time updates on this article, please click the Subscribe icon in the upper left corner of this article. You must be logged into the support site to subscribe. Updates will be emailed to you as they are published. For additional information on how to subscribe, see S22384.

The Products below have been determined VULNERABLE to one or all of the covered CVE’s (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105)
The Products below have been found NOT VULNERABLE for CVE-2021-44832
Product CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 CVE-2021-44832 Latest Patch
Aternity See S35643 for details
NetIM 2.x Patched
Not Vulnerable Not Vulnerable See S35659
Portal 1.x Patched
Not Vulnerable Not Vulnerable See S35666
Portal 2.x, 3.x (all 2.x installs should be updated to v 3.5.2) Patched
Not Vulnerable See S35667
UCExpert Patched
Not Vulnerable See S35646
SteelConnect EX Director  New Builds Released
New Builds Released
New Builds Released
Not Vulnerable See S35647
SteelConnect EX Analytics New Builds Released
New Builds Released
New Builds Released
Not Vulnerable See S35647

The Products below are NOT VULNERABLE to any of the covered CVE’s (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, CVE-2021-44832)


Vulnerability Assessment

AppResponse11 Not Vulnerable
AppResponse9 (End of Support ) Not Vulnerable
Client Accelerator Controllers and Client Accelerator
aka SteelCentral Controller for SteelHead Mobile and SteelHead Mobile)
Not Vulnerable
Flow Gateway Not Vulnerable
FlowTraq Not Vulnerable
Modeler Not Vulnerable
NetAuditor Desktop Not Vulnerable
NetAuditor Web Not Vulnerable
NetCollector Not Vulnerable
NetExpress Not Vulnerable
NetIM 1.x Not Vulnerable
NetIM Test Engine Not Vulnerable
NetPlanner Not Vulnerable
NetProfiler Not Vulnerable
NetShark (End of Support ) Not Vulnerable
Packet Analyzer Not Vulnerable
Packet Analyzer Plus Not Vulnerable
Packet Trace Warehouse Not Vulnerable
Report Server (End of Support ) Not Vulnerable
SaaS Accelerator  Not Vulnerable 
SteelCentral Authentication Server Not Vulnerable
SteelCentral Controller for SteelHead Not Vulnerable
SteelConnect CX
(SteelConnect Manager and all gateway models)
Not Vulnerable
SteelConnect EX FlexVNF Not Vulnerable
SteelFusion Edge Not Vulnerable
SteelFusionCore (appliance, virtual)  Not Vulnerable
SteelHead CX (appliance, virtual, cloud) Not Vulnerable
SteelHead EX Not Vulnerable
SteelHead Interceptor Not Vulnerable
Transaction Analyzer Not Vulnerable
Transaction Analyzer Agents  Not Vulnerable
WinSec Controller for SteelHead (WSC) Not Vulnerable
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case