On Dec 9th, a zero-day exploit in an open-source library named “Log4j” was made public. This library is very popular for creating logs by Java applications.
The vulnerability is labelled as Log4Shell (CVE-2021-44228: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and results in remote code execution (RCE) and is assigned highest CVE severity level of 10. The vulnerability impacts Apache Log4j2 versions 2.0 to 2.14.1.
The vulnerability can be exploited very easily if a user can connect to a Java based application and user can send a specially crafted string to the application over any protocol including TCP, HTTP or HTTPS.
It is particularly difficult to detect the presence of the library because it can be used in a source code form in any Java-based application and so simple software BOM generation tools may not be effective.
This announcement summarizes any potential impacts to Accops products and related announcements for mitigations of the issue.
Accops engineering and security team continue to actively work on identifying Accops’ and open-source modules included as part of Accops products which uses the log4j library for logging.
Accops has concluded that following products (all versions) do not use log4j library and are NOT vulnerable:
1. HySecure
2. HyWorks
3. HyDesk
4. HyID
5. BioAuth
6. Nano
7. HyLabs
8. HyLite
Following modules uses Java and analysis shows that the module is not vulnerable to RCE.
1. Accops Reporting Server based on ELK stack
Accops Reporting server is an internal service and is based on ELK stack and is built using Java.
Elasticsearch contains the vulnerable class which can lead to information leakage. (Apache Log4j2 Remote Code Execution (RCE) Vulnerability – CVE-2021-44228 – ESA-2021-31 – Announcements / Security Announcements – Discuss the Elastic Stack).
After a detailed analysis, our engineering team has released a patch to fix the issue.Kindly download patch by clicking below link :
https://downloads.accops.com/public/Log4j+Mitigation/ARS_Log4j_Mitigation.zip