On December 9, 2021, the following vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions prior to 2.15.0 was disclosed:
CVE-2021-44228 – Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
On December 14, 2021, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. A new CVE record has been created: CVE-2021-45046. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
On Dec. 15, 2021, two additional vulnerabilities has also been issued regarding this breach:
- CVE-2021-45046 has been identified in log4j v2.15.0 leaving it susceptible to attacks in certain configurations. Log4j version 2.16.0 addresses this vulnerability.
- CVE-2021-4104, which identified that in specific, non-default configurations, a similar vulnerability can be triggered in Log4j v1.2.
On December 18, 2021, Apache has released log4j 2.17.0 to address the new vulnerability CVE-2021-45105 . The vulnerability is the result of an infinite recursion resulting in denial of service and the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0 excluding 2.12.3.
If you have any question, feel free to open a support request at our European Service Desk.
The Log4j library is embedded in almost every Internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft and more.
Since December 10, 2021, we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly- over 60 in less than 24 hours.
For example, it can be exploited either over HTTP or HTTPS (the encrypted version of browsing). The number of combinations of how to exploit it give the attacker many alternatives to bypass newly introduced protections. It means that one layer of protection is not enough and only multi layered security posture would provide a resilient protection.
As your security partner, we strongly recommend you:
- Assess all your systems using this library no matter these are reachable from internet, or have access to internet, or both, or none.
- Update Log4j library to version 2.17.0.
As this breach is not related to vendor but to a software, all vendors using this piece of software are releasing security advisory to guide you through the mitigation process.
If you have any question, feel free to reach our European Service Desk through our ticketing system.
Please find below a summary of the main vendors we have in out portfolio.
They are communicating through:
- A Cisco Security Advisory which is updated three times a day (1500 UTC, 1900 UTC, 2300 UTC).
- A Cisco Talos Blog entry where you may find more detailed stuff like mitigation, threats updates, mitigation with their products, etc…
As you may see above, all relevant products get update on their security policies to protect you from this breach. For example, Cisco released a rule in their IPS: Talos Rules 2021-12-13, Talos Rules 2021-12-17
Cisco is investigating its product line to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update its Security Advisory with information about affected products. Fix for CVE-2021-44228 also address the CVE-2021-45046 unless otherwise noted in the advisory. Cisco is reviewing CVE-2021-45105 to determine what impact it may have on Cisco products and cloud offerings and will provide upgrades for affected products.
Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable. Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available. Hence, it is recommended to review this advisory on a regular basis.
They are communicating through:
- Fortinet Outbreak Alert where you can find all relevant information about this breach but also the coverage of Fortinet products.
- Fortinet Threat Signal Report where you will find an analysis of the breach.
All relevant security products at Fortinet includes a way to block this attack. More information may be found in their Outbreak Alert.
Fortinet issued an PSIRT advisory including the list of products impacted and not impacted. As we write this notice, the following products are impacted and fixes are being worked on (the advisory is continuously updated hence, please refer to it):
- FortiAIOps – Fixed in version 1.0.2
- FortiCASB – Fixed on 2021-12-10
- FortiConverter Portal – Fixed on 2021-12-10
- FortiCWP – Fixed on 2021-12-10
- FortiEDR Cloud – Not exploitable. Additional precautionary mitigations put in place on 2021-12-10
- FortiInsight – Not exploitable. Additional precautionary mitigations being investigated.
- FortiIsolator – Fix scheduled for version 2.3.4
- FortiMonitor – Mitigations for NCM & Elastiflow available
- FortiPortal – Fixed in 6.0.8 and 5.3.8
- FortiSIEM – Mitigation available
- ShieldX – Fix scheduled for versions 2.1 and 3.0 – ETA 2021/12/17
JDM Software – Peterconnects
JDM Software communicated on their support page that “the product portfolio of PeterConnects, both Classic as well as Cloud products, do not make use of Apache log4J. As such they are not vulnerable to the zero-day exploit.”
Imagicle does not use log4j hence, there is not impact on their products.