Beyond Security by HelpSystems is aware of a recently disclosed security issue related to the open-source Apache “Log4j2” utility (CVE-2021-44228).
Log4j is a logging framework found in Java software. The flaw is tied to a failure by certain features in the Java Naming and Directory Interface (JNDI) which is used in configuration, log messages and parameters to protect against attacker controller LDAP servers and other endpoints. A remote attacker who can control log messages or log message parameters can run arbitrary code loaded from LDAP servers on any application that uses Log4j when message lookup is enabled.
The flaw affects all versions of Log4j from 2.0-beta9 to 2.14.1.
This flaw is actively being exploited.
We strongly encourage customers who manage environments containing Log4j2 to update to the latest version released by the Apache Foundation which addresses the issue available at: https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism.
If updating the software is not an option, the Foundation has also shared mitigation measures for versions of Log4j versions 2.10 and later to protect against the remote code execution via the vulnerability.
Beyond Security uses Log4j in the beSECURE LSS scanners and beSECURE II scanner and management bundle.
Java is used by beSECURE LSS’s to schedule, run scans and send results back to the local or cloud management server.
An attacker would need access to the local or cloud LSS to inject the required payload.
Currently, Beyond Security is not aware of a means for a remote attacker to access the necessary resources to initiate an attack.
Affected cloud versions of the LSS have been patched.
Beyond Security has released a new LSS base image that does not include the JNDI class. New deployments of LSS and beSECUREII will not contain the vulnerable JNDI class.
Beyond Security is working on an update that will remove the JDNI class from existing LSS scanners as a means of adding additional precaution and protection – though there is no means of reaching the vulnerable code (as mentioned above).
The beSECURE UI is not affected. Beyond Security has provided a preliminary scanner check for this vuln on December 14, 2021 in LSS scanner build 1145.
Security Advisory – Log4j
The beSTORM product is not written in Java and does not use the Log4j utility and is not affected by this flaw.
The beSOURCE Developer edition does not use the log4j utility.
The beSOURCE Enterprise edition uses log4j 1.2.x and is not directly affected by the current flaw.
If you have any questions about this flaw or need assistance updating your LSS, please contact Beyond Security Support.