Is OpSpace impacted by the Log4j vulnerability?

Artikelnummer: [5655] - Oude code: [12493]

Van toepassing op

On December 9, 2021, a vulnerability was detected in Log4j, an open-source Java logging library maintained by the Apache Software Foundation.

Ongoing analysis has shown that OpSpace is also partly affected by this vulnerability.

Impact for OpSpace:

CVE-2021-44832

Affected Log4j version: 

2.0 - 2.17 (excluding 2.3.2 and 2.12.4)

Impacted: 

No

Information: 

In OpSpace 1.8, the Audit Logging feature was introduced.
Logstash-7.10.1, which depends on Log4j 2.13.3 and 2.9.1, is used for Audit Logging.

The log4j configuration cannot be modified, as such this vulnerability cannot be exploited.

However, we recommend to install the latest hotfix (more details below) to patch other log4j related vulnerabilities.

CVE-2021-45105

Affected Log4j version: 

2.0 - 2.16 (excluding 2.12.3)

Impacted: 

Yes

Information: 

In OpSpace 1.8, the Audit Logging feature was introduced.
Logstash-7.10.1 is used for Audit Logging.
Logstash-7.10.1 uses Log4j 2.13.3 and 2.9.1

Mitigation: 

We recommend isolating the system/devices as much as possible in your network and limiting access to the network where possible.

OR

Disabling the audit log feature.

Information on how to disable this feature can be found in the installation manual.

Solution: 

A hotfix will be made available to mitigate this issue for all affected versions in the coming days.


update December 20, 2021:
A hotfix has been released which includes logstash-7.16.1: R33054201.

  • This Hotfix can be used on all affected versions. (1.8 => 1.9.4.1)
  • Only needed if the Audit logging feature is used or planned to be used short term.

This hotfix can also be found at the bottom of this article. (Login required.)

 

CVE-2021-45046

Affected Log4j version: 

2.0 - 2.15 (excluding 2.12.2)

Impacted: 

Yes

Information: 

In OpSpace 1.8, the Audit Logging feature was introduced.
Logstash-7.10.1 is used for Audit Logging.
Logstash-7.10.1 uses Log4j 2.13.3 and 2.9.1

Mitigation: 

We recommend isolating the system/devices as much as possible in your network and limiting access to the network where possible.

OR

Disabling the audit log feature.

Information on how to disable this feature can be found in the installation manual.

Solution: 

A hotfix will be made available to mitigate this issue for all affected versions in the coming days.


update December 20, 2021:
A hotfix has been released which includes logstash-7.16.1: R33054201.

  • This Hotfix can be used on all affected versions. (1.8 => 1.9.4.1)
  • Only needed if the Audit logging feature is used or planned to be used short term.

This hotfix can also be found at the bottom of this article. (Login required.)

 

CVE-2021-44228

Affected Log4j version: 

2.0 - 2.14.1 (excluding 2.12.2)

Impacted: 

Yes

Information: 

In OpSpace 1.8, the Audit Logging feature was introduced.
Logstash-7.10.1 is used for Audit Logging.
Logstash-7.10.1 uses Log4j 2.13.3 and 2.9.1

Mitigation: 

We recommend isolating the system/devices as much as possible in your network and limiting access to the network where possible.

OR

Disabling the audit log feature.

Information on how to disable this feature can be found in the installation manual.

Solution: 

A hotfix will be made available to mitigate this issue for all affected versions in the coming days.


update December 20, 2021:
A hotfix has been released which includes logstash-7.16.1: R33054201.

  • This Hotfix can be used on all affected versions. (1.8 => 1.9.4.1)
  • Only needed if the Audit logging feature is used or planned to be used short term.

This hotfix can also be found at the bottom of this article. (Login required.)

CVE-2021-4104
Affected Log4j version:1.2.X
Impacted:No
Information:

EDP Agent uses Log4j 1.2.5.
But OpSpace is not affected because:

  • no usage of JMS Appender
  • no write access to config
CVE-2019-17571
Affected Log4j version:1.2.X
Impacted:No
Information:

EDP Agent uses Log4j 1.2.5.
But OpSpace is not affected because SocketServer is not used in OpSpace.

CVE-2017-5645
Affected Log4j version:2.0 - 2.8.2
Impacted:No
Information:

No affected Log4j version is used.
No usage of SocketServer in OpSpace.

To ensure optimal security, we recommend always upgrading to the latest version of OpSpace.

Please apply hotfix R33054201 if you have an affected version (OpSpace 1.8 => OpSpace 1.9.4.1)
AND
use the audit logging feature.

Please be aware that some security scanning tools only verify the version of a component to indicate if it is vulnerable or not. Based on our internal investigation of how the component is used and configured, we indicate if the vulnerability is exploitable or not. (cf. impact statement per CVE identifier in the KB).

Please note that the above article contains preliminary information and will be updated regularly.

Eigenschappen

Laatst bijgewerkt 14 jun. 2022