Latest log4j2-scan documented here: 2.6.3 (12/26/2021 AM)
Latest Log4j2 versions: 2.17.0 (Java 8), 2.12.3 (Java 7), and 2.3.1 (Java 6)
Minimum log4j2 version that parches RCE vulnerabilities for Java 8 and later: 2.16
Apache Log4j vulnerabilities: https://logging.apache.org/log4j/2.x/security.html
For Windows Computers
- Download the "Windows x64, zip" version of the log4j2 scanner from https://github.com/logpresso/CVE-2021-44228-Scanner
- Open a command prompt as an administrator, change to the directory where you downloaded and extracted the log4j scanner, and run the following command:
...
- Code42/Crashplan - AKA UTBackup - https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_response_to_industry_security_incidents
- Matlab - https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab
- Oracle SQL Developer - https://support.oracle.com/knowledge/Middleware/2828123_1.html
- Uninstall vulnerable version (delete any files that remain), Download and install version 21.4.1 or later from https://www.oracle.com/tools/downloads/sqldev-downloads.html
- This is not patched against the most recent vulnerability. It still runs log4j2 version 2.16; This only updates to log4j2 version 2.16; this protects against the RCEs but not the DOS; vendor still waiting to to update to version 2.17
- Salesforce (Mulesoft, Anypoint, Dataloader) - https://help.salesforce.com/s/articleView?id=000363736&type=1
- SAS - https://go.documentation.sas.com/doc/en/log4j/1.0/p1gaeukqxgohkin1uho5gh7v5s7p.htm#n1ohrpi7cm0dyfn1gpwngp0ryq41
- Change the file extensions on any 'org/apache/logging/log4j/core/lookup/log4j*.jar' files from .jar to to .zip; open each .zip file and then delete JndiLookup.class files inside it; change the .zip extension back to .jar
- SPSS - https://www.ibm.com/support/pages/node/6525830
- The steps on this page do not yet not patch against the most recent vulnerability. They only update to log4j2 version 2.16; this protects against the RCEs but not the DOS; vendor still waiting to to update to 2.17
- Tableau - https://kb.tableau.com/articles/issue/apache-log4j2-vulnerability-log4shell-tableau-desktop-mitigation-steps
- If you DO NOT use UT Tableau servers you can update Tableau Desktop to version 2021.4.2: https://www.tableau.com/support/releases/desktop/2021.4.2
- If you DO use UT Tableau servers you should update only to version 2020.4.13 and disable further updates: https://www.tableau.com/support/releases/desktop/2020.4.1
...