Log4j2 CVE Vulnerability and SPG Controls
/0 Comments/in /by Steve BartonDescription:
Like many of the manufacturer’s in our Industry, we became aware on the 10th of December 2021 of the Remote Code Execution vulnerability CVE-2021-44228 in the popular Java logging library Log4j2 CVE (all versions between 2.0 and 2.14.1 are vulnerable).
SPG Controls Action:
SPG Controls scan the published docker images for known security flaws. The Log4j2 CVE vulnerability has been included in this process by the Docker Hub team.
Vulnerability Summary:
- Code developed by SPG Controls does NOT use Log4j2 CVE.
- Some Official Docker Images do contain the vulnerability; however, the versions used by SPG Controls are NOT affected.
- SPG Control uses a version of Elasticsearch which does NOT contain the vulnerability.
Further Details:
Scan images on Docker Hub
Docker Hub security scans triggered after 1700 UTC the 13th of December 2021 are now correctly identifying the Log4j2 CVE. Scans before this date do not currently reflect the status of this vulnerability. Therefore, we recommend that you trigger scans by pushing the image to Docker Hub to view the status of Log4j2 CVE in the vulnerability report.
Source: https://docs.docker.com/docker-hub/vulnerability-scanning/
Code developed by SPG Controls does NOT use Log4j2 CVE. Some Official Docker Images do contain the vulnerability; however, the versions in use by SPG Controls are not affected.
Repository | Patched version | Additional documentation |
7.0.3 | ||
6.8.22, 7.16.2 | ||
1.11.6, 1.12.7, 1.13.5, 1.14.2 | ||
3.10.10 | ||
Awaiting info | Awaiting info | |
6.8.22, 7.16.2 | ||
4.4.2 | ||
8.11.1 | ||
8.9.5, 9.2.2 | ||
Awaiting info | Awaiting info |
Elasticsearch mitigation
Elasticsearch mitigation summary matrix.
Note: While the below mitigations are considered complete, our overall recommendation is to update to version 7.16.2 or 6.8.22 or newer.
Yes indicates the versions that are subject to the vulnerability in question, No indicates they are not vulnerable. Version ranges are inclusive.
SPG Control uses a version of Elasticsearch which does NOT contain the vulnerability.
Elasticsearch | JDK | CVE IDs | Information Leak | Remote Code Execution | Complete Mitigation |
7.16.1 – 7.16.2 | ≥ 8 | CVE-2021-44228, CVE-2021-45046 | No | No | N/A (not vulnerable) |
7.0.0 – 7.16.0 | ≥ 9 | CVE-2021-44228, CVE-2021-45046 | No | No | N/A3 (not vulnerable) |
7.0.0 – 7.16.0 | < 9 | CVE-2021-44228, CVE-2021-45046 | Yes | No | System property1 |
6.8.21 | ≥ 8 | CVE-2021-44228, CVE-2021-45046 | No | No | N/A (not vulnerable) |
6.0.0 – 6.8.20 | ≥ 9 | CVE-2021-44228, CVE-2021-45046 | No | No | N/A3 (not vulnerable) |
6.4.0 – 6.8.20 | < 9 | CVE-2021-44228, CVE-2021-45046 | Yes | No | System property1 |
6.0.0 – 6.3.2 | < 9 | CVE-2021-44228, CVE-2021-45046 | Yes | No | Remove JndiLookup2 |
5.6.11 – 5.6.16 | 8 | CVE-2021-44228, CVE-2021-45046 | Yes | Yes | System property1 |
5.0.0 – 5.6.10 | 8 | CVE-2021-44228, CVE-2021-45046 | Yes | Yes | Remove JndiLookup2 |
< 5.0.0 | any | CVE-2021-44228, CVE-2021-45046 | No | No | N/A (not vulnerable) |
Leave a Reply
Want to join the discussion?Feel free to contribute!