When searching by CVE ID for this, I get about 20 assets shown as affected. The solution is to Upgrade Apache Log4j Core to the latest version.
When running a similar query for vulnerability title=log4j, I get about 100 assets shown, with all 3 solutions affecting different assets having the same kind of wording around updating log4jcore to the latest version.
I get for the new and broader query
-
Upgrade affected Apache Log4j installations to the latest appropriate version recommended by Apache
Upgrade Apache Log4j Core to 2.12.3
- Upgrade Apache Log4j Core to the latest version (same wording as the CVE -specific query and same solution, but this one has over 100 assets.
What is really the difference between these? Wouldn’t all of these assets under the broader query also be exposed to CVE-2021-44228?
I guess I can’t tell really from this if I’m correct in prioritizing the CVE-specific results since it’s considered an emerging threat, or if I should be factoring in the affected assets in the broader query. My goal is obviously to hit all of these, but I want to make sure I’m erasing this specific CVE first based on criticality/exploitability.