Updated 12 January 2022 (added CVE-2921-44832 and note on ICG)

Updated 22 December 2021 (updated CVEs, removed mitigations, added fixed UMS version)

Updated 16 December 2021 (added affected versions, corrected mitigation for Elasticsearch on Windows)

First published 13 December 2021

CVSS 3.1 Base Score:10.0 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

A critical vulnerability, also known as Log4shell, has been found in the Log4j logging library. This affects the following IGEL products (other IGEL products are not affected):

  • IGEL Universal Management Suite (UMS), all versions since 5.09.100

Details

The versions 2.0-beta9 up to 2.14.1 of the Log4j library are vulnerable to Remote Command Execution (CVE-2021-44228). This means that a remote attacker can execute commands over the network on software that contains the vulnerable Log4j versions. IGEL UMS and the Elasticsearch engine in the IGEL UMS Web App are affected.

Exploit code is already available, and the issue is being actively exploited on the Internet. Therefore, IGEL strongly recommends updating all UMS installations.

In a typical UMS installation, this issue is mitigated by the fact that UMS is not reachable from the Internet.

In early attempts to fix CVE-2021-44228, further vulnerabilities have been found and assigned the identifiers CVE-2021-45046 and CVE-2021-45105. These affect the Context Lookup feature in Log4j, which UMS does not use, therefore UMS is not affected by these. Also, UMS is not affected by CVE-2021-44832, as it does not use the vulnerable features in Log4j version 2.17.

In addition, a vulnerability has been found in Log4j version 1.2 (CVE-2021-4104), which does not affect UMS.

Note on ICG

IGEL Cloud Gateway contains Log4j version 1.2, but it is not affected by CVE-2021-4104, as it does not use the vulnerable features.

Update Instructions

  • Update to UMS 6.09.120, which contains Log4j version 2.17

Mitigation

Older mitigation measures have been discredited. The safest course of action is to update to the fixed version.

References