Apache Log4j2 Security Advisory

By Fortra's Digital Defense

Apache Log4j2 Security Advisory

Digital Defense by Fortra's Vulnerability Research Team (VRT) is aware of a recently disclosed security issue related to the open-source Apache “Log4j2” utility (CVE-2021-44228).   

Log4j is a logging framework found in Java software. The flaw is tied to a failure by certain features in the Java Naming and Directory Interface (JNDI) which is used in configuration, log messages and parameters to protect against attacker controller LDAP servers and other endpoints. A remote attacker who can control log messages or log message parameters can run arbitrary code loaded from LDAP servers on any application that uses Log4j when message lookup is enabled. 

The flaw affects all versions of Log4j from 2.0-beta9 to 2.14.1. 

This flaw is actively being exploited. 

We strongly encourage customers who manage environments containing Log4j2 to update to the latest version released by the Apache Foundation which addresses the issue available at: https://logging.apache.org/log4j/2.x/download.html. 

If updating the software is not an option, the Foundation has also shared mitigation measures for versions of Log4j versions 2.10 and later to protect against the remote code execution via the vulnerability. 

Fortra Vulnerability Management does not use Java in our UI or any of our scanning technologies. Fortra VM uses log routing software “logstash” which is vulnerable and could cause an information disclosure.  Logstash is installed on a system that does not have access to customer data and is not directly connected to the Internet. Fortra VM cloud-based platform version 6.4.2.4 resolves this vulnerability in our implementation of logstash. 

We also use Kibana and Elasticsearch which use Java, however, these services are not accessible from and cannot reach the internet. These services are maintained by AWS. 

AWS has published the following information regarding patching of this utility for AWS instances. 

Digital Defense VRT provided a preliminary scanner check on December 13, 2021 in scanner release 3.0.89.2.

Customers are encouraged to run a full vulnerability assessment, which includes the check Apache Log4j Remote Code Execution (147182). VRT is closely monitoring the flaw and will update the check to include specific vulnerable software as information is released. 

Should you have questions regarding this advisory or require assistance running an assessment for this flaw, Fortra VM subscribers can contact your Client Advocate or Personal Security Analyst. 

  

--Digital Defense VRT 

 

Share This