Security Advisories
CLAV-SA-0297 High Severity vulnerability in Apache Log4J 2
Back to list| Advisory ID | CLAV-SA-0297 |
| Summary | High Severity vulnerability in Apache Log4J 2 |
| Updated | 2022-01-11 |
| First Published | 2021-12-13 |
| Impact | Critical |
| CVSS URL | https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVSS Score | 10.0 |
| CVEs | |
| Affected Products |
|
Introduction
Log4j 2 is used in Clavisters EasyAccess, EasyPassword and InCenter products and must be reconfigured/patched to not be susceptible to these vulnerabilities.
CVE-2021-44228 - Log4Shell
Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.
For detailed information please see https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
CVE-2021-45046
Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
For detailed information please see https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046
CVE-2021-45105
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
For detailed information please see https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105
CVE-2021-44832
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
For detailed information please see https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832
Affected Versions
- EasyAccess <= 4.1.2
- InCenter <= 1.68.03, 2.0.0 and 2.1.0
These products are NOT affected
The following products does not use any Java components at all and are therefore (and have never been) vulnerable to these Log4j 2 vulnerabilities.
- Clavister NetWall (cOS Core)
- Clavister NetShield (cOS Stream)
- Clavister InControl
- Clavister OneConnect
Fix Information
Preventative measures
Clavister IDP can be used to mitigate these attacks on non-encrypted traffic, please see https://www.clavister.com/advisories/idp/?Query=CVE-2021-44228 for details regarding what signatures to use. See https://kb.clavister.com/343410414/protecting-against-the-apache-log4j-exploit for detailed information.
EasyAccess
For EasyAccess please refer to https://kb.clavister.com/343410234/high-severity-vulnerability-in-apache-log4j-2 for detailed information.
InCenter
For InCenter please refer to https://kb.clavister.com/343410462/vulnerability-in-apache-log4j-2-which-is-used-in-incenter for detailed information.
Security Patches
Updated versions will be available from https://www.clavister.com/ as soon as they are available.
References
- https://kb.clavister.com/343410234/high-severity-vulnerability-in-apache-log4j-2
- https://kb.clavister.com/343410462/vulnerability-in-apache-log4j-2-which-is-used-in-incenter
- https://kb.clavister.com/343410414/protecting-against-the-apache-log4j-exploit
- https://www.clavister.com/advisories/idp/?Query=CVE-2021-44228
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- https://en.wikipedia.org/wiki/Log4Shell
Living document
We are continously updating this advisory as more information gets available!