Security Advisory for Log4j 2 CVE-2021-44228 vulnerability
Issued: December 10th, 2021
Updated: December 13th, 2021
Broadcom Software is investigating an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache. CVE identifier CVE-2021-44228 has been assigned to this vulnerability. This is a Critical vulnerability, and exploit code is in the wild. The Log4j team has addressed the vulnerability in Log4j 2.15.0.
Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1
CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
While we investigated the impact to each product and prepared fixes as necessary, as a precaution, we recommend that customers consider implementing available Log4j 2 workarounds or other mitigations. This advisory will be updated as we identify impacted products and publish solutions. In addition to checking this advisory for updates, customers can check individual product support pages for updates, or open a support case.
Risk Rating
CVE-2021-44228 - Critical
Base CVSS Score: 10.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ASM (App Synthetic Monitor)
The ASM Engineering team has confirmed that ASM 10.7.6 core servers (dashboard, API, reports, alerting, monitor scheduler) are not vulnerable.
The team has also investigated and determined that a few components of the public and on-premise monitoring stations contain the log4j versions that may be exposed to the vulnerability.
The team has prepared a hotfix release 10.7.8 to upgrade log4j to version 2.16.0 which is not vulnerable. This will be deployed on December 16.
To mitigate the exposure to the vulnerability on on-premise monitoring stations, upgrade them to version 10.7.8 once it is released.
Alternatively, exposure can be mitigated by running the following commands:
zip -q -d /opt/asm/jmeter/4.0/lib/log4j-core-2.10.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
monit restart jmeter4-agent
zip -q -d /opt/asm/jmeter/2.13/lib/log4j-core-2.10.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
monit restart jmeter2-agent
Customers with OPMS will have to run the installer after the release for the fix to take effect.