Updates regarding
Apache Log4j vulnerability

Advises from our vendors. We update when new info is available. If you need any assistance please reach out to our support.

Last updated: 2022-01-07 | 14:56 | Read time: X min

ManageEngine

A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j2 utility was disclosed publicly on December 9, 2021. The vulnerability impacts Apache Log4j2 versions below 2.16.0. Find the details of this vulnerability documented here: https://logging.apache.org/log4j/2.x/security.html

ManageEngine products bundled with vulnerable Log4j2: 

Product name

Jar version in bundled dependency

ADManager Plus

V2.11.1

ADAudit Plus

V2.10.0

DataSecurity Plus

V2.10.0

EventLog Analyzer

V2.9.1

M365 Manager Plus

V2.11.1

RecoveryManager Plus

V2.11.1

Exchange Reporter Plus

V2.11.1

Log360

V2.9.1

Log360 UEBA

V2.11.1

Cloud Security Plus

V2.9.1

Analytics Plus

V2.7

M365 Security Plus

V2.11.1

 

Please note that we have not identified any exploitable cases due to Log4j2 in the above products as we do not use Log4j directly for logging. But, some of the third parties we use bundle Log4j2 as a dependency. So as an additional safety measure, customers are instructed to apply the mitigation steps listed below:

  1. ADManager Plus 
    Update: Fix available in Build 7122 Learn more
  2. ADAudit Plus 
    Update: Fix available in Build 7008 Learn more
  3. DataSecurity Plus 
  4. EventLog Analyzer 
    Update Jan 7: Fix available in
    12.2.1 Build 12215 Learn more
  5. M365 Manager Plus 
    Update: Fix available in Build 4425 Learn more
  6. M365 Security Plus 
    Update: Fix available in Build 4425 Learn more
  7. RecoveryManager Plus
    Update: Fix available in Build 6044 Learn more
  8. Exchange Reporter Plus 
    Update: Fix available in Build 5616 Learn more
  9. Log360
    Update Jan 7: Fix available in 15.2.4 Build 5246 Learn more
  10. Log360 UEBA
    Update: Fix available in Build 4034 Learn more
  11. Cloud Security Plus
    Update: Fix available in Build 4121 Learn more
  12. Analytics Plus
    Update: Fix available in Build 5070 Learn more

Other ManageEngine products that are not listed above are NOT impacted by this vulnerability.

We are continuing to analyze the issue and will update this advisory if any new information becomes available.

For any additional details or assistance, please contact security@manageengine.com 

Source: ManageEngine PitStop

Cryptshare

A zero-day vulnerability “Log4Shell” (CVE-2021-44228) has been disclosed on 9 December 2021 and is already actively being exploited.

Important things first: Cryptshare products are not affected by the Log4Shell vulnerability. 

Please note, however, that our Software Development Kit (SDK) includes a third-party mail server (Apache James) which is affected by the vulnerability.

Here you can find our detailed statement about the incident and how you should act regarding the SDK.

F-Secure

Update (2021-12-16) - A further vulnerability was discovered in the Log4J component (CVE-2021-45046) and we are continuing to investigate the impact.

F-Secure Messaging Security Gateway is affected and patches are available. For most customers, these have been automatically applied, but please refer to https://community.f-secure.com/common-business-en/kb/articles/9226-the-log4j-vulnerabilities-cve-2021-44228-cve-2021-45046-which-f-secure-products-are-affected-what-it-means-what-steps-should-you-takefor more details.

F-Secure Policy Manager and related products listed below are NOT affected by this new vulnerability, and the existing patch resolves all known issues.
F-Secure Elements Connector has been automatically upgraded to a patched version and no customer action is needed. We do advise customers to check they have the latest version installed though.

We recommend that customers regularly check the https://community.f-secure.com/common-business-en/kb/articles/9226-the-log4j-vulnerabilities-cve-2021-44228-cve-2021-45046-which-f-secure-products-are-affected-what-it-means-what-steps-should-you-takefor the latest information, but we will update this status as critical information is available.

Update (2021-12-13) - We continue investigating and mitigating the impact of the Log4J vulnerability.
For detailed information and continues updates please visit https://community.f-secure.com/common-business-en/kb/articles/9226-the-log4j-vulnerability-cve-2021-44228-which-f-secure-products-are-affected-what-it-means-what-steps-should-you-take

Identified - CRITICAL UPDATE: F-Secure Policy Manager, Policy Manager Proxy, F-Secure Endpoint Proxy

An advisory for a critical-ranking vulnerability known as Log4J-RCE (CVE-2021-44228) was disclosed on December 10th 2021. Along with products from many other vendors, F-Secure has identified that this vulnerability also affects the following products:

- F-Secure Policy Manager
- F-Secure Policy Manager for Linux
- F-Secure Policy Manager Proxy
- F-Secure Policy Manager Proxy for Linux
- F-Secure Endpoint Proxy

All versions of these products are affected.

We have created a deployable fix for this vulnerability:

1. Download the patch from the F-Secure server : https://download.f-secure.com/corpro/pm/commons-java-log4j-nolookups.jar

2. Check the SHA256 hash of the file if possible to verify its integrity. It should be 64f7e4e1c6617447a24b0fe44ec7b4776883960cc42cc86be68c613d23ccd5e0

3. Stop the Policy Manager Server

4. Copy the downloaded file to
- Windows Policy Manager: C:\Program Files (x86)\F-Secure\Management Server 5\lib\
- Windows Endpoint Proxy: C:\Program Files\F-Secure\ElementsConnector\lib
- Linux (all products): /opt/f-secure/fspms/lib 

5. Start the Policy Manager Server

After the service restart, the patch will automatically be taken into use.

Note: This patch only applies to version 14 and version 15 of the affected software. It will also apply to version 13, although this version is out of support.

CTA: [ Download Patch : https://download.f-secure.com/corpro/pm/commons-java-log4j-nolookups.jar ]

Investigating - An advisory for a critical-ranking vulnerability known as Log4J-RCE was disclosed on December 10th 2021. We are investigating any impact this may have on our products or services to take immediate steps where appropriate. Detections will protect users from this exploit in any vulnerable applications.

This vulnerability affects the “Log4j” Java-based logging tool which is part of the Apache Logging Services project of the Apache Software Foundation. The tool is widely used by enterprises around the world for application development. This exploit can be executed remotely, potentially allowing attackers to take full control of an affected server. Proof-of-concept code has been published and reports show that this vulnerability is being actively exploited in the wild.
As the situation evolves, the latest information about our products and services can be found here.
 

Trustwave

Trustwave security and engineering teams became aware of the Log4j zero-day CVE-2021-44228 overnight on December 9. We immediately investigated the vulnerability and potential exploits. 

Trustwave infrastructure has not been affected by the vulnerability / exploit.

Where there was potential for abuse via the exploit, we have remedied in our environments. We are diligently watching over our customers for exposure and associated attacks, as we are able to detect the exploit in the wild. We are taking action with approved mitigation efforts.

Trustwave Product Information:​

  • The vulnerabilities CVE-2021-44228 and CVE-2021-45046 cannot affect MailMarshal (premise or cloud), WebMarshal, Marshal Reporting Console, or any of the premise Marshal plugins provided through Trustwave. None of these products or features use the affected module of Log4j.
  • Currently shipping Trustwave AppDetectivePRO is unaffected by this vulnerability. AppDetectivePRO is a standalone application on Windows, not accessible from outside the host. There is an optional component offering a preview of Web application vulnerability scanning that bundles, but does not use, Log4j. Customers who would like to remove this optional component can contact our Product Support team for guidance.
  • Trustwave DbProtect does use Log4j and our Product Support team can provide our customers with guidance on how to mitigate the issue until an update to the product is released in the coming weeks.

Source: Trustwave support portal & this blog post