CVE-2021-45105 is not the same Log4J vulnerability as the one announced on December 10th involving remote code execution. This is a separate vulnerability disclosed the following week. For information regarding other log4j CVEs announced in December 2021, see:
- For the first CVE involving a remote code execution announced December 10th: https://support.venafi.com/hc/en-us/articles/4416213022733-Log4j-CVE-2021-44228-Zero-Day-Vulnerability-notice
- For the second CVE announced December 14th: https://support.venafi.com/hc/en-us/articles/4416635878029-Log4j-CVE-2021-45046-Vulnerability-Notice
The UniCERT CA service. If you are not using this optional service, Venafi Trust Protection Platform is in no way impacted, and no remediation is necessary.
Venafi as a Service (VaaS) is no longer vulnerable, but was at time of disclosure. No action is needed on the part of customers to patch VaaS; Venafi engineers have updated the service such that it is not vulnerable.
The UniCERT CA service has been patched in the most recent release of TPP.
If you are not sure whether you are making use of the UniCERT CA Service, look for an installed program called "Venafi UniCERT 5.3 Service" in your Add/Remove Programs list. If you do not have this Service installed, then you need not go any further: your installation is not impacted.
For VaaS, no action is needed on the part of customers: Venafi engineers are currently implementing the latest updates and mitigations.
On December 18th 2021, CVE-2021-45105 was announced as a High security vulnerability. This vulnerability can cause an application to crash by starting an infinite recursion via string substitution.
Just as any company making use of Apache products was likely to be vulnerable, Venafi's Venafi As A Service (VaaS) cloud product was vulnerable at time of disclosure, but has been patched.
The optional CA service for UniCERT that can be optionally installed with TPP also made use of the vulnerable Log4j version. A patch for the UniCERT MSI has been released with the latest version of Trust Protection Platform. The vast majority of Venafi customers do not make use of this optional add-on however. If you are uncertain, instructions on how to find out if this optional service is installed are above. The UniCERT CA service cannot be installed as part of a normal TPP installation procedure; it is a separate installation that needs to be invoked on its own.
To read more about this vulnerability, see Apache's disclosures at https://logging.apache.org/log4j/2.x/security.html