Security Bulletin Update - Log4J Issue (CVE-2021-44228)
NOTE: This incident is no longer considered active, but is being maintained as Monitoring for short-term visibility.
This is an update of Idera's internal review of the Log4J Issue (CVE-2021-44228). Idera has completed its review / investigation on all family of products. The status of products is the following:
• Qubole’s investigation of the CVE-2021-44228 vulnerability in the Apache Log4j library continues to advance, with focus on identifying any exposed instance of a vulnerable Apache Log4j library as per Apache’s public updates. Qubole consists of two parts: (1) the Control Plane, which resides on Qubole-controlled hardware and (2) the Data Plane, which resides on Customer-controlled hardware. The investigation is guided by this structure.
• Within the Control Plane (on Qubole-controlled hardware), our investigation confirmed there are no exposed instances of the Apache Log4j library within the version range that contains this vulnerability. Therefore, the investigation confidently concludes the Control Plane is not impacted by the Apache Log4j vulnerability.
• For the Data Plane (on Customer-controlled hardware), we understand Qubole customers will want to take immediate action to protect the environments they control. This immediate action can be achieved by following the mitigation instructions as published by Apache on the Apache website (https://logging.apache.org/log4j/2.x/security.html).
Xblend / Xray:
• All Xray/Xporter Server/DC and Cloud products and Xray Exploratory Testing (XEA) - Our investigation confirmed there are no exposed instances of the Apache Log4j library within the version range that contains this vulnerability. Therefore, the investigation confidently concludes all product versions are not impacted by the Apache Log4j vulnerability.
• Xray Server/DC and Cloud connectors - The following XRay connectors were found to contain a vulnerable version of the Apache Log4j library. Each has been updated to remove the vulnerability and those updates are now available as follows:
◦ XRay Connector for Bamboo
▪ Available on the Atlassian Marketplace
▪ Instructions: https://docs.getxray.app/display/XRAY/Integration+with+Bamboo
◦ XRay TeamCity Plugin
▪ Available on the TeamCity Website
▪ Instructions: https://docs.getxray.app/display/XRAY/Integration+with+TeamCity
◦ XRay for JIRA Jenkins Plugin
▪ Available on the Jenkins Store
▪ Instructions: https://docs.getxray.app/display/XRAY/Integration+with+Jenkins
All Other Idera Family Of Products:
Our investigation confirmed there are no exposed instances of the Apache Log4j library within the version range that contains this vulnerability. Therefore, the investigation confidently concludes none are impacted by the Apache Log4j vulnerability.
Although our initial and thorough investigation has concluded, Idera continues to monitor for potential breaches, we will continue actively to monitor this situation and communicate with stakeholders as appropriate.
Idera Security Bulletin CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.
Idera does not use JMSAppender within our products so we are not impacted by this new CVE.
If you have any questions or concerns please contact us.
Idera Security and Compliance Team