Last Updated: January 21, 2022 12:07pm MST
***Indicates where an update has occurred
Micro Focus is continuing to analyze the remote code execution vulnerability of (CVE-2021-44228, CVE-2021-46046), and the Denial Of Service (CVE-2021-45105) that have been identified in the Apache Log4j components that are used in many Java-based applications. As we, along with many others in the industry, continue to identify and understand the full impact of this vulnerability, we will make that information available to our customers, in addition to information on remediation instructions, until a patch or updated release is become available.
Log4jMicro Focus’ Security teams have been actively investigating this issue since the initial disclosure, first to assess the scope of the vulnerability across our portfolio and software versions and then to devise a suitable mitigation plan for each of our products/versions that are determined to be affected. We have the indicators of compromise and are working with the Cybersecurity Infrastructure and Security Agency to stay current with changes to this situation. We have had no alerts on possible Log4J intrusions.
Impact to CyberRes products and remediation details
One of the vulnerabilities is a remote code execution vulnerability identified as CVE-2021-44228 and CVE-2021-45046, that can allow an unauthenticated attacker to gain complete access to a target system. It can be triggered when a specially crafted string is parsed and processed by the vulnerable Log4j2 component. This could happen through any user provided input.
Successful exploitation allows for arbitrary code execution in the targeted application. Attackers do not need prior access to the system to log the string and can remotely cause the logging event by using commands such as curl against a target system to log the malicious string in the application log. When processing the log, the vulnerable system reads the string and executes it, which in current attacks is used to execute the code from the malicious domain. Doing so can grant the attacker full access and control of the affected application.
There is also a Denial-of-Service vulnerability CVE-2021-45105. This allows an attacker to cause a denial of service when a crafted string is interpreted.
Given the fact that logging code and functionalities in applications and services are typically designed to process a variety of external input data coming from upper layers and from many possible vectors, the biggest risk factor of this vulnerability is predicting whether an application has a viable attack vector path that will allow the malformed exploit string to reach the vulnerable Log4j2 code and trigger the attack.
A common pattern of exploitation risk, for example, is a web application with code designed to process usernames, referrer, or user-agent strings in logs. These strings are provided as external input (e.g., a web app built with Apache Struts). An attacker can send a malformed username or set user-agent with the crafted exploit string hoping that this external input will be processed at some point by the vulnerable Log4j2 code and trigger code execution.
CyberRes client recommendations
- Apply the latest security updates to remediate this vulnerability. Please review the Apache CVE and the Apache security advisory for further details: https://logging.apache.org/log4j/2.x/security.html and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- Please review this Apache CVE and the Apache security advisory for further information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 and https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046
- Monitor Micro Focus Security bulletins
- Monitor for vendor patches as they become available within your environment
CyberRes SaaS Update
CyberRes is aware of the recently disclosed security issue related to the open-source Apache "Log4j2" utility (CVE-2021-44228). We are actively monitoring for this issue and have implemented additional protective and detective controls in all CyberRes SaaS environments. At this time there are no known products impacted in the SaaS environment.
For our on-premise products:
- We are issuing Security Bulletins with specific instructions on how to block the attack until the component is upgraded.
- Please visit the Product Support portal for a list of the security bulletins specific to the Log4j compromise.
- If a particular product is not listed, please continue to check the website as we are updating the list frequently.
- If the matter is urgent and the update is not on the website, please open a support case Support Resources | Micro Focus.
If a product is not listed below, it is NOT IMPACTED. Listed below are only impacted products.
ArcSight - Security Operations
Reference Support Bulletin KM000003049 for further updates
|Logger||KM000003186||7.2 and above|
|Connectors||KM000003117||8.2 and above|
|Transformation Hub||KM000003257||All Versions|
|***Sentinel||KM000003122||8.2 to 8.5|
Fortify - Application Security
|Audit Assistant||KM000003153||19.2 and newer|
|Static Code Analyzer
|KM000003178||20.1 and newer|
Software Security Center
|KM000003180||20.1 and newer|
Java Runtime Agent
|KM000003277||20.1 and newer|
|KM000003218||20.1 and newer|
|KM000003281||20.1 and newer|
NetIQ - Identity and Access Management
|Access Manager||KM000002997||4.5 and newer|
|NetIQ Risk Services||KM000003298||1.0 and newer|
|Change Guardian||KM000003114||5.2 to 6.2|
|Advanced Authentication||KM000003047||6.0 and newer|
Voltage - Data Privacy and Protection
|KM000003242||7.6.1 and newer|
|SecureData Sentry||KM000003162||4.3 and below|
Our Support organization has in place standard handling procedures to ensure that customers reporting the issue are responded to with the latest information from our R&D and Security teams. Knowing which versions of each Micro Focus product is deployed is a key data point to ensure that our customers receive the most appropriate action plan, once available.
If, after reviewing the guidance above, you still have an issue, please visit the Micro Focus Support portal and create a ticket. For all available bulletins, please visit the Micro Focus Security Alerts portal.
This blog only contains information related to CyberRes products, for all other Micro Focus products, please refer to the Micro Focus Security Bulletin .