Description:

Like many of the manufacturer’s in our Industry, we became aware on the 10th of December 2021 of the Remote Code Execution vulnerability CVE-2021-44228 in the popular Java logging library Log4j2 CVE (all versions between 2.0 and 2.14.1 are vulnerable).

SPG Controls Action:

SPG Controls scan the published docker images for known security flaws. The Log4j2 CVE vulnerability has been included in this process by the Docker Hub team.

Vulnerability Summary:

Code developed by SPG Controls does NOT use Log4j2 CVE.
Some Official Docker Images do contain the vulnerability; however, the versions used by SPG Controls are NOT affected.
SPG Control uses a version of Elasticsearch which does NOT contain the vulnerability.

Further Details:

Scan images on Docker Hub

Docker Hub security scans triggered after 1700 UTC the 13th of December 2021 are now correctly identifying the Log4j2 CVE. Scans before this date do not currently reflect the status of this vulnerability. Therefore, we recommend that you trigger scans by pushing the image to Docker Hub to view the status of Log4j2 CVE in the vulnerability report.

Source: https://docs.docker.com/docker-hub/vulnerability-scanning/

Code developed by SPG Controls does NOT use Log4j2 CVE. Some Official Docker Images do contain the vulnerability; however, the versions in use by SPG Controls are not affected.

Repository	Patched version	Additional documentation
couchbase	7.0.3	Couchbase blog
Elasticsearch	6.8.22, 7.16.2	Elasticsearch announcement
Flink	1.11.6, 1.12.7, 1.13.5, 1.14.2	Flink advice on Log4j CVE
Geonetwork	3.10.10	Geonetwork GitHub discussion
lightstreamer	Awaiting info	Awaiting info
logstash	6.8.22, 7.16.2	Elasticsearch announcement
neo4j	4.4.2	Neo4j announcement
solr	8.11.1	Solr security news
sonarqube	8.9.5, 9.2.2	SonarQube announcement
storm	Awaiting info	Awaiting info

Elasticsearch mitigation

Elasticsearch mitigation summary matrix.

Note: While the below mitigations are considered complete, our overall recommendation is to update to version 7.16.2 or 6.8.22 or newer.

Yes indicates the versions that are subject to the vulnerability in question, No indicates they are not vulnerable. Version ranges are inclusive.

Source: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

SPG Control uses a version of Elasticsearch which does NOT contain the vulnerability.

Elasticsearch	JDK	CVE IDs	Information Leak	Remote Code Execution	Complete Mitigation
7.16.1 – 7.16.2	≥ 8	CVE-2021-44228, CVE-2021-45046	No	No	N/A (not vulnerable)
7.0.0 – 7.16.0	≥ 9	CVE-2021-44228, CVE-2021-45046	No	No	N/A³ (not vulnerable)
7.0.0 – 7.16.0	< 9	CVE-2021-44228, CVE-2021-45046	Yes	No	System property¹
6.8.21	≥ 8	CVE-2021-44228, CVE-2021-45046	No	No	N/A (not vulnerable)
6.0.0 – 6.8.20	≥ 9	CVE-2021-44228, CVE-2021-45046	No	No	N/A³ (not vulnerable)
6.4.0 – 6.8.20	< 9	CVE-2021-44228, CVE-2021-45046	Yes	No	System property¹
6.0.0 – 6.3.2	< 9	CVE-2021-44228, CVE-2021-45046	Yes	No	Remove JndiLookup²
5.6.11 – 5.6.16	8	CVE-2021-44228, CVE-2021-45046	Yes	Yes	System property¹
5.0.0 – 5.6.10	8	CVE-2021-44228, CVE-2021-45046	Yes	Yes	Remove JndiLookup²
< 5.0.0	any	CVE-2021-44228, CVE-2021-45046	No	No	N/A (not vulnerable)

Sources:

https://www.lunasec.io/docs/blog/log4j-zero-day/

https://docs.docker.com/security/

https://docs.docker.com/docker-hub/vulnerability-scanning/

https://hub.docker.com/_/elasticsearch

https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Description:

SPG Controls Action:

Vulnerability Summary:

Further Details:

Scan images on Docker Hub

Elasticsearch mitigation

Leave a Reply

Leave a Reply Cancel reply

PRODUCTS

SOLUTIONS

CONTACT US

Description:

SPG Controls Action:

Vulnerability Summary:

Further Details:

Scan images on Docker Hub

Elasticsearch mitigation

You might also like

Leave a Reply

Leave a Reply Cancel reply

PRODUCTS

SOLUTIONS

CONTACT US

Cookie and Privacy Settings