Update on Statement on “Log4j” Vulnerability

0 Likes

December 20, 2021 Updates:

A new zero-day vulnerability (CVE-2021-45105) (Apache Log4j2 - does not always protect from infinite recursion in lookup evaluation) was reported by Apache for the Apache Log4j component on December 18, 2021. Micro Focus is taking immediate action to analyse and to remediate where appropriate. The reported vulnerability (CVE-2021-45105 / Apache Log4j2) is in the Apache Log4j open source-component that allows Remote Code Execution. This enables an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This is defined by the Common Vulnerability Scoring System(CVSS) as a level 7.5 exploit. Micro Focus uses Log4j for standard logging functionality across a number of product portfolios. We are actively remediating the vulnerability across those products to protect both SaaS and on-premises customers and issuing security bulletins with instructions on how to remediate for on-premises installations. We will continue to provide details of the Log4j compromise until the risk is completely mitigated.

After investigation and analysis, we have had no indications of Log4j intrusions to date.

Micro Focus Secure Development Process

Micro Focus uses a mature formal process to handle vulnerabilities that are identified both internally and externally. We have a robust, dedicated, full-time threat intelligence team with a Micro Focus-wide view, that is constantly reviewing new reports of vulnerabilities, threats and compromises for possible impact to our products and network.

Micro Focus operates a Secure Development Lifecycle that includes among other practices, a Supply Chain Security practice3rd Party Component Manifest and a 3rd Party Component Monitoring. Using these formal practices we ensure 3rd party components are sourced from trusted repositories, scanned and tested, free of known CVEs, and signed to ensure authenticity and integrity. New vulnerabilities are scanned and tracked to ensure closure. Unsupported 3rd party components are deprecated.

Micro Focus has a formal practice of secure software coding that is designed to protect against malicious code, backdoors, transitive dependency based vulnerabilities and other threats.

Micro Focus is actively implementing patches and mitigation measures where appropriate for the Log4j vulnerability. Zero-Day and Critical vulnerabilities are fast tracked and delivered outside the product’s major point release cycle. We rank potential patches according to CVSS scoring, and also our own enhanced scoring system that takes additional data points into account. Configuration changes or patch installations require Quality Assurance analysis and testing prior to deployment to production systems to prevent unexpected service interruptions.

 

December 15, 2021 Updates:

Micro Focus is taking immediate action regarding Common Vulnerabilities and Exposures CVE-2021-44228 and CVE-2021-45046.

CVE-2021-44228
Micro Focus is aware of the new guidance from Apache on the Apache Log4j vulnerability described in CVE-2021-44228 relating to newly discovered attack vectors. We are evaluating the impact on each of Micro Focus’ products in both SaaS and on-premise deployment and updating our response to address these newly discovered attacks. We will be issuing updated security bulletins to our customers to ensure there are appropriate options for fully remediating this vulnerability. For on-premises deployment Micro Focus is issuing Security Bulletins on our product support portal with specific instructions on how to block the attack until the component is upgraded to the recommended current version.

CVE-2021-45046

A new zero-day vulnerability (CVE-2021-45046) Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern was reported for the Apache Log4j component on December 14, 2021. CVE-2021-45046 is a reported vulnerability in the Apache Log4j open source-component that allows a denial of service (DOS) attack and is Severity Level 3.7 out of 10. Micro Focus is taking immediate action to analyze, mitigate and remediate, as appropriate.

For more information and regular updates please visit our Security Updates page.

Read the full statement by Micro Focus here

 



Raquel Winkler
Micro Focus Community Manager
If you found this post useful, give it a “Like” or use “Verify as Answer”.

Labels:

Announcements
Micro Focus News
Other
Comment List
Anonymous
Parents Comment Children
  • CZ:  These instructions are available at https://logging.apache.org/log4j/2.x/ ...

    CVE-2021-44228

    The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0.

    Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host.

    One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.

    For those who cannot upgrade to 2.15.0, in releases >=2.10, this vulnerability can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nnolookups} instead of just %m. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

  • I suggest checking individual MF product lines (in forums or in knowledge base) for fixes, I know a fix/workaround has already been provided for ZENworks (MF product).

Related Discussions
Recommended