Log4j2 CVE Vulnerability and SPG Controls

Description:

Like many of the manufacturer’s in our Industry, we became aware on the 10th of December 2021 of the Remote Code Execution vulnerability CVE-2021-44228 in the popular Java logging library Log4j2 CVE (all versions between 2.0 and 2.14.1 are vulnerable).

SPG Controls Action:

SPG Controls scan the published docker images for known security flaws. The Log4j2 CVE vulnerability has been included in this process by the Docker Hub team.

Vulnerability Summary:

  • Code developed by SPG Controls does NOT use Log4j2 CVE.
  • Some Official Docker Images do contain the vulnerability; however, the versions used by SPG Controls are NOT affected.
  • SPG Control uses a version of Elasticsearch which does NOT contain the vulnerability.

Further Details:

Scan images on Docker Hub

Docker Hub security scans triggered after 1700 UTC the 13th of December 2021 are now correctly identifying the Log4j2 CVE. Scans before this date do not currently reflect the status of this vulnerability. Therefore, we recommend that you trigger scans by pushing the image to Docker Hub to view the status of Log4j2 CVE in the vulnerability report.

Source: https://docs.docker.com/docker-hub/vulnerability-scanning/

Code developed by SPG Controls does NOT use Log4j2 CVE. Some Official Docker Images do contain the vulnerability; however, the versions in use by SPG Controls are not affected.

Repository

Patched version

Additional documentation

couchbase

7.0.3

Couchbase blog

Elasticsearch

6.8.22, 7.16.2

Elasticsearch announcement

Flink

1.11.6, 1.12.7, 1.13.5, 1.14.2

Flink advice on Log4j CVE

Geonetwork

3.10.10

Geonetwork GitHub discussion

lightstreamer

Awaiting info

Awaiting info

logstash

6.8.22, 7.16.2

Elasticsearch announcement

neo4j

4.4.2

Neo4j announcement

solr

8.11.1

Solr security news

sonarqube

8.9.5, 9.2.2

SonarQube announcement

storm

Awaiting info

Awaiting info

Elasticsearch mitigation

Elasticsearch mitigation summary matrix.

Note: While the below mitigations are considered complete, our overall recommendation is to update to version 7.16.2 or 6.8.22 or newer.

Yes indicates the versions that are subject to the vulnerability in question, No indicates they are not vulnerable. Version ranges are inclusive.

Source: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

SPG Control uses a version of Elasticsearch which does NOT contain the vulnerability.

Elasticsearch

JDK

CVE IDs

Information Leak

Remote Code Execution

Complete Mitigation

7.16.1 – 7.16.2

≥ 8

CVE-2021-44228, CVE-2021-45046

No

No

N/A (not vulnerable)

7.0.0 – 7.16.0

≥ 9

CVE-2021-44228, CVE-2021-45046

No

No

N/A3 (not vulnerable)

7.0.0 – 7.16.0

< 9

CVE-2021-44228, CVE-2021-45046

Yes

No

System property1

6.8.21

≥ 8

CVE-2021-44228, CVE-2021-45046

No

No

N/A (not vulnerable)

6.0.0 – 6.8.20

≥ 9

CVE-2021-44228, CVE-2021-45046

No

No

N/A3 (not vulnerable)

6.4.0 – 6.8.20

< 9

CVE-2021-44228, CVE-2021-45046

Yes

No

System property1

6.0.0 – 6.3.2

< 9

CVE-2021-44228, CVE-2021-45046

Yes

No

Remove JndiLookup2

5.6.11 – 5.6.16

8

CVE-2021-44228, CVE-2021-45046

Yes

Yes

System property1

5.0.0 – 5.6.10

8

CVE-2021-44228, CVE-2021-45046

Yes

Yes

Remove JndiLookup2

< 5.0.0

any

CVE-2021-44228, CVE-2021-45046

No

No

N/A (not vulnerable)

 

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.