Note:
This CVE is not the same Log4J vulnerability as the one announced on December 10th. This is a separate vulnerability disclosed in the days after. For information regarding the earlier log4j CVE, see this article: https://support.venafi.com/hc/en-us/articles/4416213022733-Log4j-CVE-2021-44228-Zero-Day-Vulnerability-notice
Applies to:
The UniCERT CA service. If you are not using this optional service, Venafi Trust Protection Platform is in no way impacted, and no remediation is necessary.
Other Venafi products are not impacted. VaaS was impacted at time of disclosure, but has since been patched. No action is needed on the part of customers to patch VaaS. The version of Log4j used by VaaS has been updated to 2.16, and other mitigations have also been put in place.
Resolution:
At the present time, a patch for this vulnerability is on the way for the UniCERT CA Service.
If you are not sure whether you are making use of the UniCERT CA Service, look for an installed program called "Venafi UniCERT 5.3 Service" in your Add/Remove Programs list. If you do not have this Service installed, then you need not go any further: your installation is not impacted.
In order to mitigate the Log4j vulnerability in the UniCERT CA service, update the log4j2.xml file located in \Venafi\Utilities\UpiProxy\log4j2.xml, replacing:
<pattern>[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n</pattern>
with:
<pattern>[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg{nolookups}%n</pattern>
And also:
<PatternLayout pattern="[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n" />
with:
<PatternLayout pattern="[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg{nolookups}%n" />
Again, if you do not make use of the UniCERT CA service, which has a separate .msi installer, these steps are not necessary.
Summary:
On December 14th 2021, CVE-2021-45046 was announced as a Moderate security vulnerability, which was in later days upgraded to a Critical one in reference to the Apache Log4j tool.
Just as any company making use of Apache Struts was likely to be vulnerable, Venafi's Venafi As A Service (VaaS) cloud product was vulnerable at time of disclosure, but has been patched and is no longer at risk of this vulnerability.
The optional CA service for UniCERT that can be optionally installed with TPP also makes use of the vulnerable Log4j version. A patch for the UniCERT MSI is forthcoming. The vast majority of Venafi customers do not make use of this optional add-on however, but if you are uncertain, instructions on how to find out if this optional service is installed are above. The UniCERT CA service cannot be installed as part of a normal TPP installation procedure; it is a separate installation that needs to be invoked on its own.
More Info:
To read more about this vulnerability, see Apache's disclosure at https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046
Comments