Amazon AWS API Gateway


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
Amazon AWS Link https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Amazon AWS Link https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
CISAGov Last Update: 12/20/2021

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Amazon AWS Link.
2021-12-30 21:31:50 CISAGov Updated vendor link Amazon AWS Link. Updated community note.
Expand Details

Amazon AWS AppSync


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon AWS CloudHSM


Vendor Data Vendor Patch Exists
Community Data Vulnerable

Vendor Resources

Resource Link
Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com) https://aws.amazon.com/security/security-bulletins/AWS-2021-005/

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL CloudHSM JCE SDK 3.4.1 or higher is not vulnerable

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
2021-12-30 21:31:50 CISAGov Updated communityVulnerable. Updated vendor link Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com).
Expand Details

Amazon AWS CodeBuild


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon AWS CodePipeline


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon AWS Connect


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
Vendor Link https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Vendor Link https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Vendors recommend evaluating components of the environment outside of the Amazon Connect service boundary, which may require separate/additional customer mitigation
CISAGov Vendors recommend evaluating components of the environment outside of the Amazon Connect service boundary, which may require separate/additional customer mitigation
CISAGov Last Update: 12/23/2021

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Vendor Link. Updated community note.
2021-12-30 21:31:50 CISAGov Updated vendor link Vendor Link. Updated community note. Updated community note.
Expand Details

Amazon AWS DynamoDB


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
CISAGov Last Update: 12/17/2021

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Update for Apache Log4j2 Issue (CVE-2021-44228).
2021-12-30 21:31:50 CISAGov Updated vendor link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note.
Expand Details

Amazon AWS EKS, ECS, Fargate


Vendor Data Vendor Patch Exists
Community Data Vulnerable

Vendor Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL “To help mitigate the impact of the open-source Apache “Log4j2"” utility (CVE-2021-44228 and CVE-2021-45046) security issues on customers’ containers, Amazon EKS, Amazon ECS, and AWS Fargate are deploying a Linux-based update (hot-patch). This hot-patch will require customer opt-in to use, and disables JNDI lookups from the Log4J2 library in customers’ containers. These updates are available as an Amazon Linux package for Amazon ECS customers, as a DaemonSet for Kubernetes users on AWS, and will be in supported AWS Fargate platform versions"
CISAGov To help mitigate the impact of the open-source Apache “Log4j2" utility (CVE-2021-44228 and CVE-2021-45046) security issues on customers’ containers, Amazon EKS, Amazon ECS, and AWS Fargate are deploying a Linux-based update (hot-patch). This hot-patch will require customer opt-in to use, and disables JNDI lookups from the Log4J2 library in customers’ containers. These updates are available as an Amazon Linux package for Amazon ECS customers, as a DaemonSet for Kubernetes users on AWS, and will be in supported AWS Fargate platform versions
CISAGov Last Update: 12/16/2021

Sources

Date Attribution Description
2022-01-03 11:01:35 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note.
2021-12-30 21:31:50 CISAGov Updated communityVulnerable. Updated vendorPatchExists. Updated vendor link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note. Updated community note.
Expand Details

Amazon AWS Elastic Beanstalk


Vendor Data
Community Data Not Vulnerable

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Not vuln ; CVE-2021-45046: Not vuln ; CVE-2021-45105: Not vuln
NCSC-NL Default configuration of application’s usage of Log4j versions is not vulnerable

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated communityNotVulnerable. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon AWS ElastiCache


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
CISAGov Last Update: 12/17/2021

Sources

Date Attribution Description
2022-01-03 11:01:35 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Update for Apache Log4j2 Issue (CVE-2021-44228).
2021-12-30 21:31:50 CISAGov Updated vendor link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note.
Expand Details

Amazon AWS ELB


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
CISAGov Last Update: 12/16/2021

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Update for Apache Log4j2 Issue (CVE-2021-44228).
2021-12-30 21:31:50 CISAGov Updated vendor link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note.
Expand Details

Amazon AWS Fargate


Vendor Data
Community Data Not Vulnerable

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
hotpatch https://aws.amazon.com/blogs/opensource/hotpatch-for-apache-log4j/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Not vuln ; CVE-2021-45046: Not vuln ; CVE-2021-45105: Not vuln
NCSC-NL Opt-in hot-patch to mitigate the Log4j issue in JVM layer will be available as platform versions

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated communityNotVulnerable. Updated community note. Updated community link source. Updated community link hotpatch. Updated community note.
Expand Details

Amazon AWS Glue


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Has been updated. Vulnerable only if ETL jobs load affected versions of Apache Log4j

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon AWS Greengrass


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Updates for all Greengrass V2 components Stream Manager (2.0.14) and Secure Tunneling (1.0.6) are available. For Greengrass versions 1.10.x and 1.11.x, an update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon AWS Inspector


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
CISAGov Last Update: 12/17/2021

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Update for Apache Log4j2 Issue (CVE-2021-44228).
2021-12-30 21:31:50 CISAGov Updated vendor link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note.
Expand Details

Amazon AWS IoT SiteWise Edge


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL “Updates for all AWS IoT SiteWise Edge components that use Log4j were made available; OPC-UA collector (v2.0.3), Data processing pack (v2.0.14), and Publisher (v2.0.2)”

Sources

Date Attribution Description
2022-01-03 11:01:35 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon AWS Kinesis Data Stream


Vendor Data Vendor Patch Exists
Community Data Vulnerable

Vendor Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher)
CISAGov We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher)
CISAGov Last Update: 12/14/2021

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note.
2021-12-30 21:31:50 CISAGov Updated communityVulnerable. Updated vendorPatchExists. Updated vendor link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note. Updated community note.
Expand Details

Amazon AWS Lambda


Vendor Data Vendor Patch Exists
Community Data Vulnerable

Vendor Resources

Resource Link
Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com) https://aws.amazon.com/security/security-bulletins/AWS-2021-005/

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Vulnerable when using aws-lambda-java-log4j2

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
2021-12-30 21:31:50 CISAGov Updated communityVulnerable. Updated vendorPatchExists. Updated vendor link Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com).
Expand Details

Amazon AWS RDS


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Amazon RDS and Amazon Aurora have been updated to mitigate the issues identified in CVE-2021-44228
CISAGov Amazon RDS and Amazon Aurora have been updated to mitigate the issues identified in CVE-2021-44228
CISAGov Last Update: 12/17/2021

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note.
2021-12-30 21:31:50 CISAGov Updated vendor link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note. Updated community note.
Expand Details

Amazon AWS S3


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
CISAGov Last Update: 12/14/2021

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Update for Apache Log4j2 Issue (CVE-2021-44228).
2021-12-30 21:31:50 CISAGov Updated vendor link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note.
Expand Details

Amazon AWS SDK


Vendor Data
Community Data Not Vulnerable

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Not vuln ; CVE-2021-45046: Not vuln ; CVE-2021-45105: Not vuln

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated communityNotVulnerable. Updated community note. Updated community link source.
Expand Details

Amazon AWS SNS


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Amazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer traffic
CISAGov Amazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer traffic
CISAGov Last Update: 12/14/2021

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note.
2021-12-30 21:31:50 CISAGov Updated vendor link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note. Updated community note.
Expand Details

Amazon AWS SQS


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
Update for Apache Log4j2 Issue (CVE-2021-44228) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
CISAGov Last Update: 12/15/2021

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link Update for Apache Log4j2 Issue (CVE-2021-44228).
2021-12-30 21:31:50 CISAGov Updated vendor link Update for Apache Log4j2 Issue (CVE-2021-44228). Updated community note.
Expand Details

Amazon Chime


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Amazon Chime and Chime SDK services have been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon CloudFront


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source.
2021-12-30 21:31:50 CISAGov Updated vendor link https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.
Expand Details

Amazon CloudWatch


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source.
2021-12-30 21:31:50 CISAGov Updated vendor link https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.
Expand Details

Amazon Corretto


Vendor Data
Community Data Not Vulnerable

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Not vuln ; CVE-2021-45046: Not vuln ; CVE-2021-45105: Not vuln
NCSC-NL 10/19 release distribution does not include Log4j. Vulnerable only if customer’s applications use affected versions of Apache Log4j

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated communityNotVulnerable. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon EC2


Vendor Data Vendor Patch Exists
Community Data Not Vulnerable

Vendor Resources

Resource Link
Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
fix https://alas.aws.amazon.com/cve/html/CVE-2021-44228.html

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Packages for Amazon Linux 1 and 2 not affected, package for Amazon Linux 2022 is
CISAGov Last Update: 12/15/2021

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community link fix. Updated community note.
2021-12-30 21:31:50 CISAGov Updated communityNotVulnerable. Updated vendor link Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com). Updated community note.
Expand Details

Amazon ECR Public


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Amazon-owned images published under a Verified Account on Amazon ECR Public are not affected by the Log4j issue

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon ECS


Vendor Data
Community Data Not Vulnerable

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
hotpatch https://aws.amazon.com/blogs/opensource/hotpatch-for-apache-log4j/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Not vuln ; CVE-2021-45046: Not vuln ; CVE-2021-45105: Not vuln
NCSC-NL As an Amazon Linux package, opt-in hot-patch to mitigate the Log4j issue in JVM layer is available

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated communityNotVulnerable. Updated community note. Updated community link source. Updated community link hotpatch. Updated community note.
Expand Details

Amazon EKS


Vendor Data
Community Data Not Vulnerable

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
hotpatch https://aws.amazon.com/blogs/opensource/hotpatch-for-apache-log4j/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Not vuln ; CVE-2021-45046: Not vuln ; CVE-2021-45105: Not vuln
NCSC-NL As a DaemonSet, opt-in hot-patch to mitigate the Log4j issue in JVM layer is available

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated communityNotVulnerable. Updated community note. Updated community link source. Updated community link hotpatch. Updated community note.
Expand Details

Amazon Elastic Load Balancing


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Services have been updated. All Elastic Load Balancers, as well as Classic, Application, Network and Gateway, are not affected by this Log4j issue

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon EMR


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Many customers are estimated to be vulnerable. Vulnerable only if affected EMR releases are used and untrusted sources are configured to be processed

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon Kafka (MSK)


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL “Applying updates as required, portion of customers may still be vulnerable. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where needed”

Sources

Date Attribution Description
2022-01-03 11:01:35 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon Kinesis Data Analytics


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Updates are available. See source for more information

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon Kinesis Data Streams


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL KCL 2.x, KCL 1.14.5 or higher, and KPL are not vulnerable

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon Lake Formation


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Update in progress, portion of customers may still be vulnerable. AWS Lake Formation service hosts are being updated to the latest version of Log4j

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon Linux 1 (AL1)


Vendor Data
Community Data Not Vulnerable

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
hotpatch https://aws.amazon.com/blogs/opensource/hotpatch-for-apache-log4j/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Not vuln ; CVE-2021-45046: Not vuln ; CVE-2021-45105: Not vuln
NCSC-NL By default not vulnerable. Opt-in hot-patch to mitigate the Log4j in JVM layer issue is available

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated communityNotVulnerable. Updated community note. Updated community link source. Updated community link hotpatch. Updated community note.
Expand Details

Amazon Linux 2 (AL2)


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
hotpatch https://aws.amazon.com/blogs/opensource/hotpatch-for-apache-log4j/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL By default not vulnerable, and a new version of Amazon Kinesis Agent which is part of AL2 addresses the Log4j issue. Opt-in hot-patch to mitigate the Log4j issue in JVM layer is available

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community link hotpatch. Updated community note.
Expand Details

Amazon NICE


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Recommended to update EnginFrame or Log4j library

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon OpenSearch


Vendor Data Vendor Patch Exists
Community Data Vulnerable

Vendor Resources

Resource Link
Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com) https://aws.amazon.com/security/security-bulletins/AWS-2021-005/
(R20211203-P2) https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Update released, customers need to update their clusters to the fixed release

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
2021-12-30 21:31:50 CISAGov Updated communityVulnerable. Updated vendorPatchExists. Updated vendor link Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com). Updated vendor link (R20211203-P2).
Expand Details

Amazon RDS


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix

Sources

Date Attribution Description
2022-01-03 11:01:35 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source.
2021-12-30 21:31:50 CISAGov Updated vendor link https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.
Expand Details

Amazon S3


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source.
2021-12-30 21:31:50 CISAGov Updated vendor link https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.
Expand Details

Amazon SageMaker


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Completed patching for the Apache Log4j2 issue (CVE-2021-44228). Vulnerable only if customer’s applications use affected versions of Apache Log4j

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon Simple Notification Service (SNS)


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Systems that serve customer traffic are patched against the Log4j2 issue. Working to apply the patch to sub-systems that operate separately from SNS’s systems that serve customer traffic.

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

Amazon Translate


Vendor Data
Community Data Not Vulnerable

Vendor Resources

Resource Link
Amazon Translate https://aws.amazon.com/translate/

Community Resources

Resource Link
Amazon Translate https://aws.amazon.com/translate/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Not vuln ; CVE-2021-45046: Not vuln ; CVE-2021-45105: Not vuln
NCSC-NL “Service not identified on <a href=““https://aws.amazon.com/security/security-bulletins/AWS-2021-006/"" rel=““nofollow”">AWS Log4j Security Bulletin”
CISAGov Service not identified on AWS Log4j Security Bulletin

Sources

Date Attribution Description
2022-01-03 11:01:35 NCSC-NL Updated communityNotVulnerable. Updated community note. Updated community link Amazon Translate. Updated community note.
2021-12-30 21:31:50 CISAGov Updated vendor link Amazon Translate. Updated community note.
Expand Details

Amazon VPC


Vendor Data Vendor Patch Exists
Community Data

Vendor Resources

Resource Link
https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source.
2021-12-30 21:31:50 CISAGov Updated vendor link https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.
Expand Details

Amazon WorkSpaces/AppStream 2.0


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL “Not affected with default configurations. WorkDocs Sync client versions 1.2.895.1 and older within Windows WorkSpaces, which contain the Log4j component, are vulnerable; For update instruction, see source for more info”

Sources

Date Attribution Description
2022-01-03 11:01:35 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community note.
Expand Details

AMD (Multiple Products)


Vendor Data
Community Data Not Vulnerable

Vendor Resources

Resource Link
AMD Advisory Link https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1034

Community Resources

Resource Link
AMD Advisory Link https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1034

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Not vuln ; CVE-2021-45046: Not vuln ; CVE-2021-45105: Not vuln
NCSC-NL Currently, no AMD products have been identified as affected. AMD is continuing its analysis.
CISAGov Currently, no AMD products have been identified as affected. AMD is continuing its analysis.
CISAGov Last Update: 12/22/2021

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated communityNotVulnerable. Updated community note. Updated community link AMD Advisory Link. Updated community note.
2021-12-30 21:31:50 CISAGov Updated communityNotVulnerable. Updated vendor link AMD Advisory Link. Updated community note. Updated community note.
Expand Details

Apache ActiveMQ Artemis


Vendor Data Vendor Patch Exists
Community Data Not Vulnerable

Vendor Resources

Resource Link
ApacheMQ - Update on CVE-2021-4428 https://activemq.apache.org/news/cve-2021-44228

Community Resources

Resource Link
ApacheMQ - Update on CVE-2021-4428 https://activemq.apache.org/news/cve-2021-44228

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Not vuln ; CVE-2021-45046: Not vuln ; CVE-2021-45105: Not vuln
NCSC-NL “ActiveMQ Artemis does not use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. <a href=""/cisagov/log4j-affected-db/blob/develop/web/console.war/WEB-INF/lib”">web/console.war/WEB-INF/lib). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive. See <a href=““https://issues.apache.org/jira/browse/ARTEMIS-3612"" rel=““nofollow”">ARTEMIS-3612 for more information on that task.”
CISAGov ActiveMQ Artemis does not use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. web/console.war/WEB-INF/lib). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive. See ARTEMIS-3612 for more information on that task.
CISAGov Last Update: 12/21/2021

Sources

Date Attribution Description
2022-01-03 11:01:35 NCSC-NL Updated communityNotVulnerable. Updated community note. Updated community link ApacheMQ - Update on CVE-2021-4428. Updated community note.
2021-12-30 21:31:50 CISAGov Updated communityNotVulnerable. Updated vendorPatchExists. Updated vendor link ApacheMQ - Update on CVE-2021-4428. Updated community note. Updated community note.
Expand Details

Apache Airflow


Vendor Data
Community Data Not Vulnerable

Vendor Resources

Resource Link
Apache Airflow https://github.com/apache/airflow/tree/main/airflow

Community Resources

Resource Link
Apache Airflow https://github.com/apache/airflow/tree/main/airflow

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Not vuln ; CVE-2021-45046: Not vuln ; CVE-2021-45105: Not vuln
NCSC-NL Airflow is written in Python
CISAGov Airflow is written in Python

Sources

Date Attribution Description
2021-12-31 9:06:53 NCSC-NL Updated communityNotVulnerable. Updated community note. Updated community link Apache Airflow. Updated community note.
2021-12-30 21:31:50 CISAGov Updated vendor link Apache Airflow. Updated community note.
Expand Details

Apache Archiva


Vendor Data Vendor Patch Exists
Community Data

Community Resources

Resource Link
source https://blogs.apache.org/security/entry/cve-2021-44228
fix https://lists.apache.org/thread/bmvhs0jxhf4vxcjxyhozm058pchykcqx

Community Notes

Source Note
NCSC-NL CVE-2021-4104: Not vuln ; CVE-2021-44228: Fix
NCSC-NL Fixed in 2.2.6

Sources

Date Attribution Description
2021-12-27 15:29:04 NCSC-NL Updated vendorPatchExists. Updated community note. Updated community link source. Updated community link fix. Updated community note.
Expand Details