Log4J Remediation overlap CVE-2021-44228

When searching by CVE ID for this, I get about 20 assets shown as affected. The solution is to Upgrade Apache Log4j Core to the latest version.

When running a similar query for vulnerability title=log4j, I get about 100 assets shown, with all 3 solutions affecting different assets having the same kind of wording around updating log4jcore to the latest version.

I get for the new and broader query

  • Upgrade affected Apache Log4j installations to the latest appropriate version recommended by Apache

Upgrade Apache Log4j Core to 2.12.3

  • Upgrade Apache Log4j Core to the latest version (same wording as the CVE -specific query and same solution, but this one has over 100 assets.

What is really the difference between these? Wouldn’t all of these assets under the broader query also be exposed to CVE-2021-44228?

I guess I can’t tell really from this if I’m correct in prioritizing the CVE-specific results since it’s considered an emerging threat, or if I should be factoring in the affected assets in the broader query. My goal is obviously to hit all of these, but I want to make sure I’m erasing this specific CVE first based on criticality/exploitability.

@Rahpudsehvun - without further details I couldn’t say for certain, but I would guess the difference is probably as a result of our Log4j obsolete check.

This will trigger for any Log4j v1.x jar files found, which will only instruct you to upgrade to latest, rather than giving a specific version to upgrade to.

Log4j 1.x is not vulnerable to CVE-2021-44228 - however it is vulnerable to a large number of known and unknown vulnerabilities due to the being obsolete for 8 years (since 2015).

1 Like