cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RISC Platform Security Related Fixes

Tluxner
Level 2 Flexeran
Level 2 Flexeran
0 0 363

Summary

A high severity (CVSS score 8.1) vulnerability in Apache Log4j 1.2 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-4104. This Apache Log4j component is included in in the RISC Platform releases prior to SAAS-2021-12-29.

Additionally, two vulnerabilities with the identifiers CVE-2021-41527 and CVE-2021-41528 related to the User Interface have been addressed.

This article describes the potential impact of the vulnerabilities on the RISC Platform.

Vulnerability descriptions

CVE-2021-4104

The National Vulnerability Database describes the CVE-2021-4104 vulnerability at https://nvd.nist.gov/vuln/detail/CVE-2021-4104 as follows (current as of Jan 20, 2022):

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.

CVE-2021-41527

An error related to the 2-factor authorization (2FA) can potentially be exploited to bypass the 2FA. The vulnerability requires that the 2FA setup hasn’t been completed.

CVE-2021-41528

An error when handling authorization related to the import / export interfaces can potentially be exploited to access the import / export functionality with low privileges.

Mitigation options

  1. Log4j 1.2 components in the RISC Platform are not configured to use JMSAppender by default, and so are not exposed to a potential attack through this vulnerability.

  2. Out of an abundance of caution, Flexera has upgraded the Log4j components in the RISC Platform to version 2.17.0 that is not exposed to the vulnerability with the identifier CVE-2021-4104. This change is included in the saas-2021-12-29 release.

  3. The changes for the vulnerabilities with the identifiers CVE-2021-41527 and CVE-2021-41528 are also included in the saas-2021-12-29 release.

Additional information

Flexera would like to thank Robert Gilbert (amroot) (https://www.linkedin.com/in/robertgilbert808) for helping to identify the vulnerabilities with the identifiers CVE-2021-41527 and CVE-2021-41528 under a responsible disclosure process.