Skip to main content

Overview

On December 9, 2021, Riverbed|Aternity’s security and engineering team was made aware of a reported remote code execution vulnerability in the open source Apache Log4j2 Java library. The software library, Log4j, is built on a popular coding language, Java, which is broadly used in several software and applications worldwide.

This initial vulnerability was annotated in the National Vulnerability Database (NVD) under the heading CVE-2021-44228. As of December 14, researchers discovered that the Apache-developed fix for CVE-2021-44228 (Log4j 2.15 RC2) was incomplete and Apache released a new fix, and update (Log4j 2.16). With global attention focused on the Log4j software, researchers and threat actors have discovered additional vulnerabilities. On December 17, two new issues were confirmed and the next day, Apache released another update and recommendation to move to Log4j 2.17.  Riverbed|Aternity expects that the cycle of newly reported vulnerabilities and published fixes will continue as researchers and threat actors continue their enhanced focus on the Log4j code base.

The NVD’s current list of vulnerabilities and recommended fixes are as follows:

  • CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
  • CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
  • CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
  • CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)

The Apache Log4j Security Vulnerabilities webpage provides additional information; Apache recommends updating to 2.17.0 immediately.

Security patches are being tested and applied to the limited software components of Riverbed|Aternity products that were affected by the vulnerabilities. These are being tracked and updated in real time in the Knowledge Base articles linked below. Riverbed|Aternity encourages all organizations to implement these updates as quickly as possible once they have been tested and released through the Riverbed|Aternity’s support portals and Knowledge Base publications. In addition, Riverbed|Aternity continues to assess internal vulnerabilities and its supply chain based on the most recent CVEs and is moving too quickly update and fix issues on an ongoing basis.

Threat-focused security organizations have observed state actors begin to leverage the vulnerability in new attacks. Riverbed|Aternity has heightened our vigilance in monitoring networks for abnormal behaviors and invoking immediate response actions as necessary. Additionally, we have updated our AppResponse 11 software with rulesets to help identify potential Log4j vulnerable systems and potential threats and can provide these rules to our customers using AppResponse 11.

Recommendations

The Riverbed|Aternity security and engineering teams have posted recommendations and fixes for products assessed to be vulnerable in the following Knowledge Base articles. Customers with active support contracts may access impact assessments and status for specific products at the links below.

Riverbed product lines:

https://supportkb.riverbed.com/support/index?page=content&id=S35645&temp=temp

Aternity product lines:

https://aternity.force.com/customersuccess/s/article/Apache-Log4j-Zero-Day-Exploit

Aternity SaaS products have been patched and updates are available on the Aternity Customer Success Portal.