CVE-2021-44228: Apache Log4j Remote Code Execution Vulnerability - Log4Shell
Overview
CVE CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832
CWE CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSS v3.x 10.0 - Critical
In this article we would like to inform you about the critical vulnerability in the widely used logging library for Java applications Log4j (also known as Log4Shell) and its use in Matrix42 products.
Matrix42 products affected by the Log4j vulnerability
Log4j is used only in the following products and all other Matrix42 products are not affected.
Component | Matrix42 Risk evaluation | Required Actions/Recommendations | Note | Fixed Version | Mitigation |
FireScope Edge Device |
Increased Risk |
We strongly recommend that our customers restrict user access to the Edge device, as this is not normally required. It should not be exposed to the Internet, which is our general recommendation. |
The FireScope Edge device is distributed in the customer's infrastructure but not exposed to the Internet. Thus, Edge devices are exposed to the risk of insider attacks. |
FireScope v4.5.0 or later |
|
FireScope App Server
|
Low Risk |
If you are not actively using the Integration Manager, we recommend restricting access to the REST API. |
The FireScope App Server is used internally by the FireScope Web Server and is contacted directly by edge devices using a BSON-based binary protocol. In addition, the App Server provides a REST API for integration use cases. The REST API is considered vulnerable at this time; but only authorized user agents can access it. |
FireScope v4.5.0 or later |
|
FireScope Agent |
Very Low Risk |
For Windows Agent version 4.0.52, we recommend manual removal of Log4j by deleting the following file: C:\Program Files\FireScope\agent\modules\wmidelegate\jar\log4j.jar |
The FireScope Windows Agent is deployed on endpoints to collect additional metrics. The Agent in the default configuration does not run Java code and is not vulnerable. Customers have the option to enable a Java application monitoring feature. In this case, the Agent runs Java code using Log4j version 1. Considering that the agent does not transmit anything to the Internet, we classify the risk as very low. |
||
FireScope Flex Agent |
Very Low Risk |
None |
The FireScope Flex Agent is the monitoring agent for the infrastructure. This agent runs on all FireScope nodes (Web, App, Edge, and Mongo). The agent uses Log4j version 1, but does not provide any interfaces to the outside world. Thus, we rate the risk level as very low. |
None |
None |
Empirum Web Console (EWC) |
Very Low Risk |
None |
In the EWC we use Log4j version 1 and the JMSAppender feature is not activated, LDAP addresses are also not used or queried. The EWC is not used in Matrix42 SaaS Solution. |
Empirum 21.0 Update 2 Empirum 20.0 Update 3 Empirum 19.0 Update 3 |
|
FireScope Web Server |
Risk-free |
None |
Hosts the user interface of FireScope and does not run any Java code. |
N/A |
N/A |
Next Steps
Matrix42 will continue to provide updates as necessary in this document. We are working on updates for our affected products as listed in the table above. As a Matrix42 FireScope SaaS customer, you currently do not need to take any action. We will perform all necessary remediations and patches for you for the cloud based components.
Updates
Update 1 (2021-12-17):
A Hotfix is available for the FireScope Edge Device and App Server. Matrix42 FireScope SaaS customers will receive the App Server Hotfix automatically. Please pay attention to the announcement by mail or within the FireScope SaaS user interface. For Edge Device updates, our Customer Service is available to all customers. To schedule an appointment, please submit a request to support@firescope.com. Alternatively, you can contact your Account Manager or Field Engineer.
Update 2 (2021-12-23):
We have provided a Hotfix installer on 23 December 2021 for Empirum version 19.0 Update 3, 20.0 Update 3 and 21.0 Update 2 that updates the Log4j component used in the Empirum Web Console (EWC) and addresses CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. We recommend that you apply the Hotfix as soon as possible. The download for this can be found as usual in our Marketplace. Matrix42 Empirum SaaS customers are not affected as no EWC is provided.
Update 3 (2022-01-06)
The current known vulnerability CVE-2021-44832 addressed in Log4j 2.17.1 is currently under investigation for the EWC and FireScope Edge Device. The FireScope App Server version 3.9.5.3 includes already Log4j 2.17.1. We continuously reassess the threat of vulnerable components in our software and, based on this, either provide short-term Hotfixes or update components within our standard release cycles.
Update 4 (2022-02-08)
For customers using FireScope Windows Agent version 4.0.52 (32/64-bit), we recommend manual removal of Log4j by deleting the following file, which will not affect the operation of the Agent: C:\Program Files\FireScope\agent\modules\wmidelegate\jar\log4j.jar.
By removing the file, there is no further threat from the logging library for Java applications Log4j.
We have provided a Hotfix installer on 28 January 2022 for Empirum version 19.0 Update 3 and 20.0 Update 3 that updates the Log4j component used in the Empirum Web Console (EWC) and addresses CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. Empirum Version 21.0 Update 3, which is about to be released, will replace Version 21.0 Update 2 and also include the latest Log4j version 2.17.1. We recommend that you apply the Hotfix as soon as possible. The download for this can be found as usual in our Marketplace. Matrix42 Empirum SaaS customers are not affected as no EWC is provided.
Update 5 (2022-05-23)
FireScope Windows Agent v2022.05 no longer contains Log4j. All other FireScope Agents were never affected. The download for this can be found as usual in our Marketplace.
Change log
Date | Description of change |
2021-12-15 | Initial publication |
2021-12-17 | Update 1 - Hotfix for FireScope provided. |
2021-12-20 | Update 2 - Hotfix for Empirum Web Console provided. |
2021-12-23 | Update 1 and 2 revised. |
2022-01-06 | Update 3 provided, fixed versions and mitigation added. |
2022-02-08 | Update 4 - Required Actions/Recommendations for the FireScope Windows Agent updated. New Hotfix for Empirum Web Console provided. |
2022-05-23 | Update 5 - Removed Log4j in FireScope Windows Agent. |