Các nhà nghiên cứu đã phát hiện ra một lỗ hổng nghiêm trọng trong thư viện Apache Log4j, có điểm 10/10 trong CVSS. Dưới đây là bài phân tích và hướng dẫn bạn bảo vệ máy chủ.
Nhiều hãng tin tức bảo mật đã đưa tin về việc phát hiện ra lỗ hổng nghiêm trọng CVE-2021-44228 trong thư viện Apache Log4j (mức độ nghiêm trọng CVSS 10/10). Hàng triệu ứng dụng Java sử dụng thư viện này để ghi lại các thông báo lỗi. Để làm cho vấn đề tồi tệ hơn, những kẻ tấn công đã tích cực khai thác lỗ hổng này. Vì lý do này, Apache Foundation khuyến nghị tất cả các nhà phát triển cập nhật thư viện lên phiên bản 2.15.0 và nếu không được, hãy sử dụng một trong các phương pháp tại đây.
Tại sao CVE-2021-44228 lại nguy hiểm đến vậy
CVE-2021-44228, còn được đặt tên là Log4Shell hoặc LogJam, là một lỗ hổng trong lớp Remote Code Execution (RCE). Nếu những kẻ tấn công khai thác nó trên các máy chủ, chúng sẽ có thể thực thi code tùy ý và có khả năng kiểm soát toàn bộ hệ thống.
Điều khiến CVE-2021-44228 trở nên đặc biệt nguy hiểm là tính dễ bị khai thác: ngay cả một hacker thiếu kinh nghiệm cũng có thể thực hiện thành công một cuộc tấn công bằng cách sử dụng lỗ hổng này. Theo các nhà nghiên cứu, những kẻ tấn công chỉ cần buộc ứng dụng chỉ ghi một chuỗi vào nhật ký và sau đó chúng có thể tải code của chính mình lên ứng dụng nhờ chức năng thay thế tra cứu tin nhắn.
Cách bài viết hướng dẫn tấn công Proofs of Concept (PoC) thông qua CVE-2021-44228 đều đã có sẵn trên Internet. Do đó, không có gì ngạc nhiên khi các công ty an ninh mạng đã thực hiện các đợt quét mạng khổng lồ để tìm các ứng dụng dễ bị tấn công cũng như các cuộc tấn công vào honeypots.
Lỗ hổng này được phát hiện bởi Chen Zhaojun thuộc Đội bảo mật đám mây của Alibaba.
Apache Log4J là gì và tại sao thư viện này lại phổ biến như vậy?
Apache Log4j là một phần của Dự án Apache Logging. Nhìn chung, việc sử dụng thư viện này là một trong những cách dễ nhất để ghi lại lỗi và đó là lý do tại sao hầu hết các nhà phát triển Java sử dụng nó.
Nhiều công ty phần mềm lớn và dịch vụ trực tuyến sử dụng thư viện Log4j, bao gồm Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter,… Do thư viện này quá phổ biến, nên một số nhà nghiên cứu bảo mật thông tin dự kiến sẽ các cuộc tấn công vào các máy chủ dễ bị tấn công sẽ gia tăng đáng kể trong những ngày tới.
#Log4Shell pic.twitter.com/1bKDwRQBqt
— Florian Roth
(@cyb3rops) December 10, 2021
Phiên bản nào của thư viện Log4j dễ bị tấn công và cách để bạn bảo vệ Server?
Hầu như tất cả các phiên bản của Log4j đều dễ bị tấn công, bắt đầu từ 2.0-beta9 đến 2.14.1. Phương pháp bảo vệ đơn giản và hiệu quả nhất là cài đặt phiên bản mới nhất của thư viện, 2.15.0. Bạn có thể tải xuống trên trang dự án.
Nếu vì lý do nào đó mà việc cập nhật thư viện không thể thực hiện được, Apache Foundation khuyên bạn nên sử dụng một trong các phương pháp giảm thiểu sau. Trong trường hợp các phiên bản Log4J từ 2.10 đến 2.14.1, họ khuyên bạn nên đặt thuộc tính hệ thống log4j2.formatMsgNoLookups hoặc đặt biến môi trường LOG4J_FORMAT_MSG_NO_LOOKUPS thành true.
Để bảo vệ các bản phát hành trước đó của Log4j (từ 2.0-beta9 đến 2.10.0), các nhà phát triển thư viện khuyên bạn nên xóa class JndiLookup khỏi classpath: zip -q -d log4j-core – *. Jar org / apache / logging / log4j / core / lookup / JndiLookup .class.
Ngoài ra, bạn cũng nên xem những phương pháp bảo mật này để bảo vệ bản thân tốt hơn.
Danh sách các hãng bị ảnh hưởng bởi lỗ hổng Log4j
A
Akamai : https://www.akamai.com/blog/news/CVE-2021-44228-Zero-Day-Vulnerability
Apache Druid : https://github.com/apache/druid/pull/12051
Apache Flink : https://flink.apache.org/2021/12/10/log4j-cve.html
Apache Guacamole https://issues.apache.org/jira/projects/GUACAMOLE/issues/GUACAMOLE-1474?filter=allissues
Apache LOG4J : https://logging.apache.org/log4j/2.x/security.html
Apache Kafka : https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv
Apache Solr : https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
Apache Struts : https://struts.apache.org/announce-2021#a20211212-2
Apero CAS : https://apereo.github.io/2021/12/11/log4j-vuln/
Apigee : https://status.apigee.com/incidents/3cgzb0q2r10p
Appdynamics : https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability
APPSHEET : https://community.appsheet.com/t/appsheet-statement-on-log4j-vulnerability-cve-2021-44228/59976
Aptible : https://status.aptible.com/incidents/gk1rh440h36s?u=zfbcrbt2lkv4
Ariba : https://connectsupport.ariba.com/sites#announcements-display&/Event/908469
ArrayNetworks : https://twitter.com/ArraySupport/status/1470141638571745282
Atlassian : https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
Automox : https://blog.automox.com/log4j-critical-vulnerability-scores-a-10
Avantra SYSLINK : https://support.avantra.com/support/solutions/articles/44002291388-cve-2021-44228-log4j-2-vulnerability
Avaya : https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609
AVM UNOFICIAl : https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#gistcomment-3993316
AWS New : https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
AWS OLD: https://aws.amazon.com/security/security-bulletins/AWS-2021-005/
AZURE Datalake store java : https://github.com/Azure/azure-data-lake-store-java/blob/ed5d6304783286c3cfff0a1dee457a922e23ad48/CHANGES.md#version-2310
B
BACKBLAZE : https://twitter.com/backblaze/status/1469477224277368838
BeyondTrust Bomgar : https://beyondtrustcorp.service-now.com/kb_view.do?sysparm_article=KB0016542
BigBlueButton : https://github.com/bigbluebutton/bigbluebutton/issues/13897#issuecomment-991652632
BitDefender : https://businessinsights.bitdefender.com/security-advisory-bitdefender-response-to-critical-0-day-apache-log4j2-vulnerability
BitNami By VMware : https://docs.bitnami.com/general/security/security-2021-12-10/
BMC Software : https://community.bmc.com/s/news/aA33n000000TSUdCAO/bmc-security-advisory-for-cve202144228-log4shell-vulnerability
Broadcom Automic Automation : https://knowledge.broadcom.com/external/article?articleId=230308
C
Camunda : https://forum.camunda.org/t/cve-2021-44228-log4j-2-exploit/31871/4
CarbonBlack : https://community.carbonblack.com/t5/Threat-Research-Docs/Log4Shell-Log4j-Remote-Code-Execution-CVE-2021-44228/ta-p/109134
Cerberus FTP : https://support.cerberusftp.com/hc/en-us/articles/4412448183571-Cerberus-is-not-affected-by-CVE-2021-44228-log4j-0-day-vulnerability
ChaserSystems : https://chasersystems.com/discrimiNAT/blog/log4shell-and-its-traces-in-a-network-egress-filter/#are-chasers-products-affected
Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
Citrix : https://support.citrix.com/article/CTX335705
CloudFlare : https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/
Cloudian HyperStore : https://cloudian-support.force.com/s/article/SECURITY-Cloudian-HyperStore-Log4j-vulnerability-CVE-2021-44228
CPanel : https://forums.cpanel.net/threads/log4j-cve-2021-44228-does-it-affect-cpanel.696249/
ConcreteCMS.com : https://www.concretecms.com/about/blog/security/concrete-log4j-zero-day-exploit
Connect2id : https://connect2id.com/blog/connect2id-server-12-5-1
ConnectWise : https://www.connectwise.com/company/trust/advisories
ContrastSecurity : https://support.contrastsecurity.com/hc/en-us/articles/4412612486548
ControlUp : https://status.controlup.com/incidents/qqyvh7b1dz8k
Coralogix : https://twitter.com/Coralogix/status/1469713430659559425
CouchBase : https://forums.couchbase.com/t/ann-elasticsearch-connector-4-3-3-4-2-13-fixes-log4j-vulnerability/32402
CryptShare : https://www.cryptshare.com/en/support/cryptshare-support/#c67572
CyberArk : https://cyberark-customers.force.com/s/article/Critical-Vulnerability-CVE-2021-44228
Cybereason : https://www.cybereason.com/blog/cybereason-solutions-are-not-impacted-by-apache-log4j-vulnerability-cve-2021-44228
D
Dataminer : https://community.dataminer.services/responding-to-log4shell-vulnerability/
Datto : https://www.datto.com/blog/dattos-response-to-log4shell
Debian : https://security-tracker.debian.org/tracker/CVE-2021-44228
Docker : https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/
Docusign : https://www.docusign.com/trust/alerts/alert-docusign-statement-on-the-log4j2-vulnerability
dCache.org : https://www.dcache.org/post/log4j-vulnerability/
DCM4CHE.org : https://github.com/dcm4che/dcm4che/issues/1050
DRAW.IO : https://twitter.com/drawio/status/1470061320066277382
DropWizard : https://twitter.com/dropwizardio/status/1469285337524580359
E
Eclipse Foundation : https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#gistcomment-3992521
EHRBase : https://github.com/ehrbase/ehrbase/issues/700
ESET : https://forum.eset.com/topic/30691-log4j-vulnerability/?do=findComment&comment=143745
EVLLABS JGAAP : https://github.com/evllabs/JGAAP/releases/tag/v8.0.2
Extreme Networks : https://extremeportal.force.com/ExtrArticleDetail?an=000100806
F
F5 Networks : https://support.f5.com/csp/article/K19026212
F-Secure https://status.f-secure.com/incidents/sk8vmr0h34pd
Fastly : https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j
ForgeRock : https://backstage.forgerock.com/knowledge/kb/book/b21824339
Fortinet : https://www.fortiguard.com/psirt/FG-IR-21-245
FTAPI : https://docs.ftapi.com/display/RN/4.12.2
FusionAuth : https://fusionauth.io/blog/2021/12/10/log4j-fusionauth/
G
Gearset : https://docs.gearset.com/en/articles/5806813-gearset-log4j-statement-dec-2021
Genesys : https://www.genesys.com/blog/post/genesys-update-on-the-apache-log4j-vulnerability
GitHub : https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
GoAnywhere : https://www.goanywhere.com/cve-2021-44228-goanywhere-mitigation-steps
Google Cloud Global Products coverage : https://cloud.google.com/log4j2-security-advisory
Google Cloud Armor WAF : https://cloud.google.com/blog/products/identity-security/cloud-armor-waf-rule-to-help-address-apache-log4j-vulnerability
GrayLog : https://www.graylog.org/post/graylog-update-for-log4j
GratWiFi WARNING I can’t confirm it: https://www.facebook.com/GratWiFi/posts/396447615600785
GuardedBox : https://twitter.com/GuardedBox/status/1469739834117799939
H
HackerOne : https://twitter.com/jobertabma/status/1469490881854013444
HCL Software : https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486
Hewlett Packard Enterprise HPE : https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us
Hitachi Vantara : https://knowledge.hitachivantara.com/Support_Information/Hitachi_Vantara_Security_Advisories/CVE-2021-44228_-_Apache_Log4j2
HostiFi : https://twitter.com/hostifi_net/status/1469511114824339464
Huawei : https://www.huawei.com/en/psirt/security-notices/huawei-sn-20211210-01-log4j2-en
I
I2P : https://geti2p.net/en/blog/post/2021/12/11/i2p-unaffected-cve-2021-44228
IBM : https://www.ibm.com/support/pages/node/6525548
Ignite Realtime : https://discourse.igniterealtime.org/t/openfire-4-6-5-released/91108
Imperva : https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/
Inductive Automation : https://support.inductiveautomation.com/hc/en-us/articles/4416204541709-Regarding-CVE-2021-44228-Log4j-RCE-0-day
Informatica : https://network.informatica.com/community/informatica-network/blog/2021/12/10/log4j-vulnerability-update
Ironnet : https://www.ironnet.com/blog/ironnet-security-notifications-related-to-log4j-vulnerability
J
JAMF NATION : https://community.jamf.com/t5/jamf-pro/third-party-security-issue/td-p/253740
JazzSM DASH IBM : https://www.ibm.com/support/pages/node/6525552
Jenkins : https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/
JetBrains Teamcity : https://youtrack.jetbrains.com/issue/TW-74298
K
Kafka Connect CosmosDB : https://github.com/microsoft/kafka-connect-cosmosdb/blob/0f5d0c9dbf2812400bb480d1ff0672dfa6bb56f0/CHANGELOG.md
Kaseya : https://helpdesk.kaseya.com/hc/en-gb/articles/4413449967377-Log4j2-Vulnerability-Assessment
Keycloak : https://github.com/keycloak/keycloak/discussions/9078
KEMP : https://support.kemptechnologies.com/hc/en-us/articles/4416430695437-CVE-2021-44228-Log4j2-Exploit
Komoot Photon : https://github.com/komoot/photon/issues/620
L
Leanix : https://www.leanix.net/en/blog/log4j-vulnerability-log4shell
LucentSKY : https://twitter.com/LucentSky/status/1469358706311974914
Lightbend : https://discuss.lightbend.com/t/regarding-the-log4j2-vulnerability-cve-2021-44228/9275
LiquidFiles : https://mailchi.mp/liquidfiles/liquidfiles-log4j?e=%5BUNIQID%5D
LogRhythm CISO email I can’t confirmed : https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#gistcomment-3992599
M
Macchina io : https://twitter.com/macchina_io/status/1469611606569099269
MailCow : https://github.com/mailcow/mailcow-dockerized/issues/4375
ManageEngine Zoho : https://pitstop.manageengine.com/portal/en/community/topic/log4j-ad-manager-plus
ManageEngine Zoho : https://pitstop.manageengine.com/portal/en/community/topic/log4j-security-issue
Mattermost FocalBoard : https://forum.mattermost.org/t/log4j-vulnerability-concern/12676
McAfee : https://kc.mcafee.com/corporate/index?page=content&id=KB95091
Metabase : https://github.com/metabase/metabase/commit/8bfce98beb25e48830ac2bfd57432301c5e3ab37
Microsoft : https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
Minecraft : https://www.minecraft.net/en-us/article/important-message–security-vulnerability-java-edition
MISP : https://twitter.com/MISPProject/status/1470051242038673412
Mulesoft : https://help.mulesoft.com/s/article/Apache-Log4j2-vulnerability-December-2021
N
N-able : https://www.n-able.com/security-and-privacy/apache-log4j-vulnerability
NEO4J : https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j/48856
NetApp : https://security.netapp.com/advisory/ntap-20211210-0007/
Netflix : https://github.com/search?q=org%3ANetflix+CVE-2021-44228&type=commits
NextGen Healthcare Mirth : https://github.com/nextgenhealthcare/connect/discussions/4892#discussioncomment-1789526
Newrelic : https://discuss.newrelic.com/t/log4j-zero-day-vulnerability-and-the-new-relic-java-agent/170322
Nutanix : https://download.nutanix.com/alerts/Security_Advisory_0023.pdf
O
Okta : https://sec.okta.com/articles/2021/12/log4shell
OpenHab : https://github.com/openhab/openhab-distro/pull/1343
OpenMRS TALK : https://talk.openmrs.org/t/urgent-security-advisory-2021-12-11-re-apache-log4j-2/35341
OpenSearch : https://discuss.opendistrocommunity.dev/t/log4j-patch-for-cve-2021-44228/7950
Oracle : https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
OxygenXML : https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html
P
Palo-Alto Networks : https://security.paloaltonetworks.com/CVE-2021-44228
PaperCut : https://www.papercut.com/support/known-issues/#PO-684
Parse.ly : https://blog.parse.ly/parse-ly-log4shell/
Pega : https://docs.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability
Phenix Id : https://support.phenixid.se/uncategorized/log4j-fix/
PingIdentity : https://support.pingidentity.com/s/article/Log4j2-vulnerability-CVE-CVE-2021-44228
Positive Technologies : https://twitter.com/ptsecurity/status/1469398376978522116
Progress / IpSwitch : https://www.progress.com/security
PTV Group : https://company.ptvgroup.com/en/resources/service-support/log4j-latest-information
Pulse Secure : https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44933/?kA13Z000000L3dR
Puppet : https://puppet.com/blog/puppet-response-to-remote-code-execution-vulnerability-cve-2021-44228/
Pure Storage : https://support.purestorage.com/Field_Bulletins/Interim_Security_Advisory_Regarding_CVE-2021-44228_(%22log4j%22)
Q
Quest KACE : https://support.quest.com/kace-systems-management-appliance/kb/335869/is-the-kace-sma-affected-by-cve-2021-44228
R
Radware : https://support.radware.com/app/answers/answer_view/a_id/1029752
Red5Pro : https://www.red5pro.com/blog/red5-marked-safe-from-log4j-and-log4j2-zero-day/
RedHat : https://access.redhat.com/security/cve/cve-2021-44228
Revenera / Flexera : https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Log4j-Java-Vulnerability-CVE-2021-44228/ba-p/216905
Riverbed : https://supportkb.riverbed.com/support/index?page=content&id=S35645
Roset.com : https://support.rosette.com/hc/en-us/articles/4416216525965-Log4j-Vulnerability
RunDeck by PagerDuty : https://docs.rundeck.com/docs/history/CVEs/
Rubrik : https://support.rubrik.com/s/announcementdetail?Id=a406f000001PwOcAAK
S
SAFE FME Server : https://community.safe.com/s/article/Is-FME-Server-Affected-by-the-Security-Vulnerability-Reported-Against-log4j
Salesforce : https://help.salesforce.com/s/articleView?id=000363736&type=1
SAP BusinessObjects : https://launchpad.support.sap.com/#/notes/3129956
SAP Global coverage : https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf
SDL worldServer : https://gateway.sdl.com/apex/communityknowledge?articleName=000017707
Seafile : https://forum.seafile.com/t/urgent-zero-day-exploit-in-log4j/15575
Security Onion : https://blog.securityonion.net/2021/12/security-onion-2390-20211210-hotfix-now.html
ServiceNow : https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1000959
Sesam Info : https://twitter.com/sesam_info/status/1469711992122486791
Shibboleth : http://shibboleth.net/pipermail/announce/2021-December/000253.html
Siemens : https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
Signald : https://gitlab.com/signald/signald/-/issues/259
Skillable : https://skillable.com/log4shell/
SLF4J : http://slf4j.org/log4shell.html
SmileCDR : https://www.smilecdr.com/our-blog/a-statement-on-log4shell-cve-2021-44228
Software AG : https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849
SolarWinds : https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228
SonarSource : https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721
Sonatype : https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild
SonicWall : https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
Sophos : https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce
Spring Boot : https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
SumoLogic : https://help.sumologic.com/Release-Notes/Collector-Release-Notes#december-11-2021-19-361-12
SUSE : https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vulnerability/
Sterling Order IBM : https://www.ibm.com/support/pages/node/6525544
Sweepwidget : https://sweepwidget.com/view/23032-v9f40ns1/4zow83-23032
Synopsys : https://community.synopsys.com/s/article/SIG-Security-Advisory-for-Apache-Log4J2-CVE-2021-44228
SysAid : https://www.sysaid.com/lp/important-update-regarding-apache-log4j
Sysdig : https://sysdig.com/blog/cve-critical-vulnerability-log4j/
T
Talend : https://jira.talendforge.org/browse/TCOMP-2054
TealiumIQ : https://community.tealiumiq.com/t5/Announcements-Blog/Update-on-Log4j-Security-Vulnerability/ba-p/36824
Threema UNOFICIAL : https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#gistcomment-3993316
TrendMicro : https://success.trendmicro.com/solution/000289940
Tricentis Tosca : https://support-hub.tricentis.com/open?number=NEW0001148&id=post
U
Ubiquiti-UniFi-UI : https://community.ui.com/releases/UniFi-Network-Application-6-5-54/d717f241-48bb-4979-8b10-99db36ddabe1
Ubuntu : https://ubuntu.com/security/CVE-2021-44228
USSIGNAL MSP : https://ussignal.com/blog/apache-log4j-vulnerability
V
Varonis : https://help.varonis.com/s/article/Apache-Log4j-Zero-Day-Vulnerability-CVE-2021-44228
Veritas NetBackup : https://www.veritas.com/content/support/en_US/article.100052058
Veeam : https://www.veeam.com/kb4254
Vespa ENGINE : https://github.com/vespa-engine/blog/blob/f281ce4399ed3e97b4fed32fcc36f9ba4b17b1e2/_posts/2021-12-10-log4j-vulnerability.md
VMware : https://www.vmware.com/security/advisories/VMSA-2021-0028.html
W
Wallarm : https://lab.wallarm.com/cve-2021-44228-mitigation-update/
WatchGuard / Secplicity / https://www.secplicity.org/2021/12/10/critical-rce-vulnerability-in-log4js/
WildFlyAS : https://twitter.com/WildFlyAS/status/1469362190536818688
WitFoo : https://www.witfoo.com/blog/emergency-update-for-cve-2021-44228-log4j/
Wodby Cloud : https://twitter.com/wodbycloud/status/1470125735914450950
Wowza : https://www.wowza.com/docs/known-issues-with-wowza-streaming-engine#log4j2-cve
WSO2 : https://github.com/wso2/security-tools/pull/169
X
XCP-ng : https://xcp-ng.org/forum/topic/5315/log4j-vulnerability-impact
Y
Z
ZAMMAD : https://community.zammad.org/t/cve-2021-44228-elasticsearch-users-be-aware/8256
Zaproxy : https://www.zaproxy.org/blog/2021-12-10-zap-and-log4shell/
Zerto : https://help.zerto.com/kb/000004822
Zesty : https://www.zesty.io/mindshare/company-announcements/log4j-exploit/
Zimbra : https://forums.zimbra.org/viewtopic.php?f=15&t=70240