Clarita’s response to the Apache Log4j 2 security vulnerability (CVE-2021-44228)

Updated 21 December 2021

IBM has advised of a second high priority vulnerability relating to WebSphere.

CVEID: CVE-2021-4104
CVSS Base score: 8.1

Description: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Additional Details: Clarita does not believe any of our clients currently use JMSAppender in any supported applications. However IBM's recommended solution is to apply an interim fix, which is available at:  Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046).

If you are Clarita EAMaaS customer, we will be applying this fix to your environments over the coming days.

If you are not a Clarita EAMaaS customer, and would like assistance to apply this latest fix, please contact Support.

A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly on December 9, 2021. The severe vulnerability in the Java logging libraries allows unauthenticated remote code execution and access to servers.

The Apache Log4j 2 (named log4shell) vulnerability has a huge impact, since most web servers are equipped with Apache software.

It affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1. Log4j 2 is a Java-based logging library that is widely used in business system development, included in various open-source libraries, and directly embedded in major software applications. Because this vulnerability is in a Java library, the cross-platform nature of Java means the vulnerability is exploitable on many platforms, including both Windows and Linux.

Applications directly accessible on the internet - such as internet-facing mobile applications - are therefore at great risk.

A cybercriminal can only exploit this vulnerability when they have access to the application. The vulnerability is a remote code execution vulnerability that can allow an unauthenticated attacker to gain complete access to a target system. It can be triggered when a specially crafted string is parsed and processed by the vulnerable Log4j 2 component. This could happen through any user provided input.

Clarita is currently working through our application portfolio in order to conduct impact assessments. We are closely monitoring various vendor announcements to understand how and when this vulnerability can be addressed.

We will keep you updated on the impact of the vulnerability and actions required to mitigate your risk as our evaluation progresses.

Read more from the Australian Cyber Security Centre here.

Vendor Updates

Clarita will continue to monitor announcements and advice from the following product vendors and will update the below information as it comes to hand.