KB44933 - CVE-2021-44228 - Java logging library (log4j)

A vulnerability has been reported today (10th of December, 2021) in Java logging library (log4j) in versions from 2.0.0 up to version 2.14.1.

***UPDATE DECEMBER 14TH 2021 - 11PM GMT***

On the 14th of December 2021, it was determined that the patch provided by the Apache Foundation for CVE-2021-44228 was not completely effective. CVE-2021-45046 was assigned to address the new denial of service vulnerability that affects log4j version 2.15. 

Ivanti has evaluated CVEs: CVE-2021-4104 and CVE-2021-45105 as well and has determined that there are no additional impacts to our Pulse products. 
************************
More details can be found in the links below,

https://access.redhat.com/security/cve/cve-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://nvd.nist.gov/vuln/detail/CVE-2021-4104

 

Please find the complete Ivanti Pulse Secure investigation summary below for reference:
 

Product	Impact
Pulse Secure Virtual Traffic Manager	Not Affected
Pulse Secure Services Director	Not Affected
Pulse Secure Web Application Firewall	Not Affected
Pulse Connect Secure	Not Affected
Ivanti Connect Secure (ICS)	Not Affected
Pulse Policy Secure	Not Affected
Pulse Desktop Client	Not Affected
Pulse Mobile Client	Not Affected
Pulse One	Not Affected
Pulse ZTA	Not Affected
Ivanti Neurons for ZTA	Not Affected
Ivanti Neurons for secure Access	Not Affected

Note: Log4j 2.x is not used in any of our products.