ISN 2021-11: UMS Log4j Vulnerability

Updated 14 February 2022 (corrected statements on CVE-2021-4104)

Updated 12 January 2022 (added CVE-2921-44832 and note on ICG)

Updated 22 December 2021 (updated CVEs, removed mitigations, added fixed UMS version)

Updated 16 December 2021 (added affected versions, corrected mitigation for Elasticsearch on Windows)

First published 13 December 2021

CVSS 3.1 Base Score:10.0 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

A critical vulnerability, also known as Log4shell, has been found in the Log4j logging library. This affects the following IGEL products (other IGEL products are not affected):

• IGEL Universal Management Suite (UMS), all versions since 5.09.100

Details

The versions 2.0-beta9 up to 2.14.1 of the Log4j library are vulnerable to Remote Command Execution (CVE-2021-44228). This means that a remote attacker can execute commands over the network on software that contains the vulnerable Log4j versions. IGEL UMS and the Elasticsearch engine in the IGEL UMS Web App are affected.

Exploit code is already available, and the issue is being actively exploited on the Internet. Therefore, IGEL strongly recommends updating all UMS installations.

In a typical UMS installation, this issue is mitigated by the fact that UMS is not reachable from the Internet.

In early attempts to fix CVE-2021-44228, further vulnerabilities have been found and assigned the identifiers CVE-2021-45046 and CVE-2021-45105. These affect the Context Lookup feature in Log4j, which UMS does not use, therefore UMS is not affected by these. Also, UMS is not affected by CVE-2021-44832, as it does not use the vulnerable features in Log4j version 2.17.

In addition, a vulnerability has been found in Log4j version 1.2.17 (CVE-2021-4104), which does not affect UMS, as the CVE applies only “when the attacker has write access to the Log4j configuration”, which is not the case in UMS.

Note on ICG

IGEL Cloud Gateway 2.04.100 contains Log4j version 1.2.17, but it is not affected by CVE-2021-4104, as it applies only “when the attacker has write access to the Log4j configuration”, which is not the case in ICG.

Update Instructions

• Update to UMS 6.09.120, which contains Log4j version 2.17

Mitigation

Older mitigation measures have been discredited. The safest course of action is to update to the fixed version.

References

• Log4j - Apache Log4j Security Vulnerabilities: https://logging.apache.org/log4j/2.x/security.html
• CVE-2021-44228: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
• CVE-2021-45046: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
• CVE-2021-45045: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45045
• CVE-2021-4104: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
  
• CVE-2021-44832: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832