The critical vulnerability disclosed last week in Java logging package log4j sent shockwaves throughout the industry given how frequently that open-source library is used to develop enterprise software.
Vulnerable code can be found in products from some of the most prominent technology vendors like Cisco, IBM and VMware, and as well as one serving the MSP community like ConnectWise and N-able.
“Normally a vulnerability is reported privately to the software maintainers, who then have time to repair the issue and release an update, so attackers don‘t gain a temporary advantage,” VMware wrote in a frequently asked questions (FAQ) document posted to its website. “With a zero-day disclosure like this one, attackers have an advantage while software maintainers scramble to develop the fix.”
Vendors with susceptible versions of log4j code have been hard at work since Friday developing workarounds, patches and updated versions of their products that eliminate the risk of exploitation. However, some of the impacted products won’t be fixed until early 2022, while resolution dates haven’t each been announced for other vulnerable products.
Amazon Web Services
Amazon Web Services said it is addressing the log4j vulnerability for any services that either use the open-source code or provide it to customers as part of their service. The Seattle, Wash.-based cloud computing giant said it encourages customers who manage environments containing log4j to update to the latest version.
Updates for AWS Greengrass versions 1.10 and 1.11 are expected to be available Friday, and customers are directed in the meantime to verify that their custom lambda code does not use arbitrary stream names and file names outside the customer’s control. API Gateway is being updated to a version of log4j that mitigates the issue, and customers may observe periodic latency during those updates.
AWS EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino which use vulnerable versions of Apache log4j. The company said it is actively working on building an update that mitigates issues around when open source frameworks that are installed on a customer’s EMR cluster process information from untrusted sources.
Broadcom determined as of Monday that some or all versions of its CA Advanced Authentication, Symantec SiteMinder unified access management and VIP Authentication Hub products are affected by the log4j vulnerability. The San Jose, Calif.-based company also said its Symantec Endpoint Protection Manager offering may be affected even though no impact has yet been demonstrated.
SiteMinder customers are urged to either configure the offering to continue using the existing log4j versions in a secure manner or upgrade the existing log4j version in their environment to log4j 2.15.0. Upgrading to 2.15.0 will help reduce the likelihood of vulnerability scanning tools continuing to identify the older log4j instances.
The vulnerable feature in the remaining Broadcom or Symantec products can be disabled by setting the system environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to ”true” and restarting the impacted components or services, according to Broadcom.
Thirty-five Cisco tools across the following product areas are impacted by the log4j flaw: collaboration and social media; network and content security devices; network management and provisioning; routing and switching; unified computing; voice and unified communications; and video. Voice and unified communications and network management and provisioning had the most products impacted.
A fix is expected Tuesday for Cisco Webex Meetings Server; Thursday for Cisco Video Surveillance Operations Manager; Friday for Cisco Network Services Orchestrator (NSO); and Jan. 2 for Cisco Nexus Dashboard. For the other 31 products affected by the log4j vulnerability, Cisco said it is continuing to evaluate the fix and will update its advisory as additional information becomes available.
As for Cisco’s cloud offerings, the San Jose, Calif.-based company said five of its tool are still impacted, while seven others were susceptible to the vulnerability but a fix has been put in place.
The on-premises Global Search capability for the ConnectWise Manage professional services automation (PSA) platform has a third-party component that is affected by the log4j vulnerability Affected users were provided with instructions to terminate Global Search until ConnectWise has remediated the situation. Tampa, Fla.-based ConnectWise said it is still working on this item.
Although no exploitation was observed, ConnectWise said suspended purchase capabilities of its Marketplace and global search capability of Manage Cloud while the company validates there is no vendor exposure. The company’s cloud SIEM service Perch had third-party components that were potentially vulnerable to the log4j vulnerability, but the situation was remediated immediately.
ConnectWise learned Saturday that Fortinet’s FortiSIEM product - which is leveraged by ConnectWise’s StratoZen SOAR platform - is vulnerable to the zero-day log4j exploit and therefore a potential target. The company temporarily restricted all network access to our hosted StratoZen servers over the weekend, but have now restored most of the FortiSIEM services, according to ConnectWise.
Twelve Fortinet products are affected by the log4j vulnerability, meaning that attackers who control log messages or log message parameters can execute arbitrary code. Fixed were made Friday for three of the susceptible products – FortiCASB, FortiConverter Portal, and FortiCWP. Meanwhile, Fortinet said FortiEDR Cloud is no longer exploitable given the precautionary measures put in place Friday.
The Sunnyvale, Calif.-based platform security vendor said a fix is scheduled for version 2.3.4 of FortiIsolator remote browser isolation product. No remediation information has been provided for the other seven impacted tools: FortiAIOps, FortiInsight, FortiMonitor, FortiPortal, FortiPolicy, FortiSIEM, and ShieldX.
The HCL Connections enterprise collaboration platform contains log4j and is subject to remote code execution under certain circumstances although the company’s analysis shows low chances for exploitability. Similarly, the Noida, India-based company said an attacker who can control log messages or log message parameters in the HCL Commerce software platform can execute arbitrary code.
HCL Connections customers are urged to upgrade and apply and new piece of software, while HCL Commerce customers are urged to customize both their search-ingest-app and search-nifi-app Docker images to set the system property.
The Apache log4j open-source library with the vulnerability has been used by both IBM Watson Explorer as well as the WebSphere Application Server, with the WebSphere Application Server Admin Console and the UDDI Registry Application directly impacted. Certain versions of seven different products in the IBM Watson Explorer cognitive exploration family were susceptible to the vulnerability.
IBM Watson Explorer customers are directed to upgrade to Version 220.127.116.11 or Version 18.104.22.168 depending on the product. If IBM Watson Explorer Content Analytics Studio was upgraded after the customer updated IBM Java Runtime, the customer’s changes are lost and they must repeat the steps.
WebSphere Application Server customers are directed by IBM to apply the interim fix as soon as possible.
N-able’s risk intelligence offering is running a vulnerable version of Apache log4j, and the Wakefield, Mass.-based based company said it is actively working on a patch and will update once it has more information. The company said it has evaluated risk within its remote monitoring and management (RMM) tool and deployed patches for any potentially vulnerable components.
The company initially believed that its N-central remote monitoring and management and platform might have utilized a vulnerable version of Apache log4j. But after further investigation, N-able said it determined that N-central was not vulnerable to the log4j exploit since the product only utilizes the log4j-API component, and not the log4j-core component.
Certain versions of Okta’s RADIUS Server Agent and On-Prem MFA Agent are susceptible to the log4j vulnerability, meaning that an attacker with control over log messages or log message parameters could execute arbitrary code. Customers are urged to upgrade to Okta RADIUS Server Agent version 2.17.0 or Okta On-Prem MFA Agent version 1.4.6, where the vulnerability has been fixed.
“As soon as Okta learned of this vulnerability, we promptly evaluated all cloud-hosted systems and customer premise agents to determine what might be impacted and methodically set about remediating any exposure,” Okta Chief Security Officer David Bradbury wrote in a blog post Saturday.
The critical log4j vulnerability may allow for remote code execution in nearly 40 affected VMware products, and the Palo Alto, Calif.-based company said that exploitation attempts in the wild have been confirmed. A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system, according to the company.
Many of the affected products are in the Tanzu, vRealize, Spring Cloud or Carbon Black families. VMware has rolled out a workaround for most of the products where log4j has been detected, while a patch is available for roughly a third of the impacted products.
“Like other software vendors who use log4j in their products, VMware found out about this in a zero-day scenario and is now working nonstop to help protect customers and test updates,” VMware wrote in a FAQ.