search cancel

Symantec VIP Security Advisory for Log4j2 Vulnerabilities

book

Article ID: 230287

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

CVE-2021-44228 Description: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints.  All versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.14.1 affected. 

CVE-2021-45046 Description: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack. All versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 affected. 

CVE-2021-44832 Description: An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. 

CVE-2021-4104 Description: We have researched this vulnerability and Symantec VIP is not vulnerable to this.

Cause

Log4j files in older builds may cause security scans to flag the VIP Enterprise Gateway as risky. 

Resolution

As part of the broader Broadcom Software advisory, the Symantec VIP team has investigated these vulnerabilities and determined that: 

  • VIP Cloud Applications: Clouds apps are based on OpenJDK 11 and do not use JNDI functionality where the vulnerabilities are exposed. Therefore, there is no vulnerability risk.
  • VIP Enterprise Gateway 9.10 and later: No Log4j vulnerabilities. Note: If log4j vulnerabilities are detected, see: Hotfix for Apache Log4j 1.X Detection on Symantec VIP Enterprise Gateway 9.9.2
  • VIP Enterprise Gateway 9.9.2: No Log4j vulnerabilities. Note: If log4j vulnerabilities are detected, see: Hotfix for Apache Log4j 1.X Detection on Symantec VIP Enterprise Gateway 9.9.2
  • VIP Enterprise Gateway 9.9.1: Log4j 2.14.x is integrated using custom patternLayout, serializers and formatters provided by log4j2. The default layouts where the JNDI and JDBC appenders can be exploited are not used. Therefore, there is no vulnerability risk.
  • VIP Enterprise Gateway 9.9.0 and earlier: Log4j 1.x is integrated without the use of the JMS Appender class. Per Apache, this Log4j version is not impacted. Therefore, there is no vulnerability risk.  
  • VIP add-ons and integrations: Log4j is not integrated into any integration or add-ons, including the VIP SDK, VIP Access app, and VIP ADFS plugin. Therefore, there is no vulnerability risk. 

The latest version of VIP Enterprise Gateway is available to download from VIP Manager and through LiveUpdate from the VIP EG console. Version 9.9.2 and newer include updates to the log4j library to version 2.17.1 (See the VIP Enterprise Gateway 9.9.2 Release Notes for more information).

Contact VIP technical support to open a case with VIP support. Attach vulnerability scans to the case.