Security Advisory Description
Apache Log4j is a Java-based logging utility and is part of the Apache Logging Services project of the Apache Software Foundation. On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild (CVE-2021-44228). By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker can instruct that system to download and subsequently execute a malicious payload.
Update:
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
(Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046)
Impact on Cyberm8-AP
Our research team has verified that the following Cyberm8-AP includes the vulnerable version of the Log4j:
Cyberm8-AP Version: | Vulnerability: | Severity: | Recommendation: |
Versions earlier than 3.0.0 Build 570 | Not Vulnerable | N/A | |
v3.0.0 Build 570 to v3.0.0 Build 577 | Vulnerable to: CVE-2021-44228, CVE-2021-45046 | Critical | Follow “Recommended Actions” |
v3.0.0 Build 581 | Vulnerable to: CVE-2021-45046 | Low | Follow “Recommended Actions” |
v3.0.0 Build 605 | Not Vulnerable | N/A |
* Though versions v3.0.0 Build 570 to Build 581 are vulnerable, to utilize the vulnerability a specific non-default configuration must exist on the device, and the attacker must be an authenticated user or an approved source of Syslog/Mail notifications.
How to Verify
Using the WebUI:
1. Login to Cyberm8-AP WebUI as an administrator.
2. Verify the version and build number on the bottom of the left (main) menu.
Using the Shell:
1. Login to Cyberm8-AP shell.
2. Run the following command: ‘csh version’ to verify the version and build numbers.
Recommended Actions
- Upgrade Cyberm8-AP to the latest invulnerable version (3.0.0 build 605).
- Maintain an updated access list of authorized sources to send syslog/mail triggers to Cyberm8-AP on your network firewalls.
- Maintain an updated access list of allowed outbound communication from Cyberm8-AP to desired targets on your network firewalls.
- Prevent unauthorized network access to Cyberm8-AP management interface.