What is the Apache Log4J?
Log4j is a widely used open-source library for logging within Java applications. Ascertia uses Log4J within ADSS Server, ADSS Auto-File Processor, ADSS Client SDK (Java) and Go>Sign Desktop.
Apache Log4J vulnerability summary
Ascertia has become aware of several security issues within the Apache Log4J v2 library which could be exploited by an attacker.
Log4J v2 security issues
- CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
- CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
- CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.
Further details are available at: https://logging.apache.org/log4j/2.x/security.html
Log4J v1 security issues
- CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration
Further details are available at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
Applicability to Ascertia products
The following Ascertia products use the Log4J v2 logging library:
Ascertia has issued security bulletins to customers outlining the impacts, we've also detailed them below.
Ascertia does not use Log4J v1 in any of its products. As a result, any Log4J v1 security vulnerability does not apply.
Mitigating Factors
Ascertia immediately took corrective action and created software patches for all affected products. Daily updates on these patches have been published on Ascertia's Community.
Mitigating actions undertaken by the Ascertia team for our cloud service include:
- There are no known cases of this security issue affecting Ascertia customers.
- Customers should deploy Ascertia products behind firewalls and/or network security appliances as per security best practice.
- In order to attempt to exploit this vulnerability, an attacker would need the ADSS Server network address, port number and an authenticated session to ADSS Server.
- Customers operating Ascertia products within closed networks and any exposure is limited to internal employees (this is especially true for ADSS Go>Sign Desktop).
The full security bulletin can be found on the Ascertia Community. If you don’t have access, you can request this from your account team.
Corrective Actions
Ascertia is encouraging customers to apply software patches where required to any systems that may be affected by this issue. This includes customers that operate our products within their own networks or for those who are connected to our SaaS platforms.
The following Ascertia Patches address Log4J security issues:
Ascertia Security Bulletin - Dec21-001
Ascertia's response to Apache Log4J CVE-2021-44228 and CVE-2021-450046:
- ADSS Server ADSS Client SDK (Java) and Auto-File Processor patch 6.9.0.1
- ADSS Server ADSS Client SDK (Java) and Auto-File Processor patch 6.8.0.8
- ADSS Server ADSS Client SDK (Java) and Auto-File Processor patch 6.6.0.30
- ADSS Server ADSS Client SDK (Java) and Auto-File Processor patch 6.7.0.9
- ADSS Server ADSS Client SDK (Java) and Auto-File Processor patch 6.0.0.4
Ascertia Security Bulletin - Dec21-002
Ascertia Response to Apache Log4J CVE-2021-45105:
- Ascertia products do not use a Log4J PatternLayout in the logging configuration that would enable someone to perform an attack using this exploit.
Ascertia Security Bulletin - Jan22-001
Ascertia Response to Apache Log4J CVE-2021-44832
- Ascertia products do not use the Log4J JDBC Appender that would enable someone to perform an attack using this exploit.
Ascertia will include the latest version of Log4J in the next scheduled patch releases for all impacted products.
If you have any questions, please contact Ascertia support or your account team.