On December 11, 2021, asigra, was made aware of a security event impacting Apache Software Log4j v2.x associated with CVE-2021-44228, also known as Log4Shell or LogJam).
What is Log4j?
Log4j is an open-source Java logging library that is widely used in a range of software applications and services around the world. The vulnerability can allow threat actors the opportunity to take control of any Java-based, internet-facing server and engage in Remote Code Execution (RCE) attacks.
Log4j was found to be vulnerable to a format string code execution bug that was not disclosed and patched in a coordinated manner. This bug utilizes JNDI capabilities that enable attackers to carry out a Remote Code Execution (RCE).
The bug (CVE-2021-44228 aka as Log4Shell) causes the vulnerable component to actively connect to the internet, fetch the malicious code, and run it.
Did Log4j Impact the Asigra Product?
The log4j configuration used by our Asigra software components does not utilize the JNDI feature affected by this vulnerability.
To avoid being flagged by scanning tools, Asigra is in the process of updating to the latest log4j version (2.16.0). We will be deploying hot-fix updates on the following v14.2 components:
- CDPA (FreeBSD)
- DS-Client (Windows)
- DS-NOC (Windows, Linux)
- Management Console (Windows, Linux, Mac)