An update on the Apache Log4j CVE-2021-44228 vulnerability
TL;DR
DNIF v9 is not vulnerable to the remote code execution vulnerability(CVE-2021-44228) impacting Apache Log4j 2 (versions 2.0 to 2.14.1).
Background
A critical remote code execution vulnerability has been discovered and is being actively exploited which is impacting Apache Log4j 2 (versions 2.0 to 2.14.1). This vulnerability has been assigned CVE-2021-44228 by MITRE with a severity rating of 10.0. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. This is a serious vulnerability because of the widespread use of Java and the package log4j.
Summary of Impact on DNIF v9 Deployments
The DNIF Product Security team has been assessing both our on-premise and SaaS offerings for similar issues and we can confirm that DNIF v9 is not vulnerable to CVE-2021-44228.
The DNIF core software does not use the log4j library explicitly. Our on-premise software utilizes some Apache projects which have confirmed to not use the affected versions of log4j. Additionally, the JDK version being used is not vulnerable as com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP. This means both the exploitation and the escalation risk is mitigated successfully.
We shall continue to monitor the exploitation of this vulnerability and any variants or bypasses that may emerge so that we are able to better advise and enable our customers to detect and defend themselves with the help of our SIEM software.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://logging.apache.org/log4j/2.x/security.html
https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/