A high severity (CVSS score 8.1) vulnerability in Apache Log4j 1.2 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-4104. This Apache Log4j component is included in in the RISC Platform releases prior to SAAS-2021-12-29.
Additionally, two vulnerabilities with the identifiers CVE-2021-41527 and CVE-2021-41528 related to the User Interface have been addressed.
This article describes the potential impact of the vulnerabilities on the RISC Platform.
The National Vulnerability Database describes the CVE-2021-4104 vulnerability at https://nvd.nist.gov/vuln/detail/CVE-2021-4104 as follows (current as of Jan 20, 2022):
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.
An error related to the 2-factor authorization (2FA) can potentially be exploited to bypass the 2FA. The vulnerability requires that the 2FA setup hasn’t been completed.
An error when handling authorization related to the import / export interfaces can potentially be exploited to access the import / export functionality with low privileges.
- Log4j 1.2 components in the RISC Platform are not configured to use JMSAppender by default, and so are not exposed to a potential attack through this vulnerability.
- Out of an abundance of caution, Flexera has upgraded the Log4j components in the RISC Platform to version 2.17.0 that is not exposed to the vulnerability with the identifier CVE-2021-4104. This change is included in the saas-2021-12-29 release.
- The changes for the vulnerabilities with the identifiers CVE-2021-41527 and CVE-2021-41528 are also included in the saas-2021-12-29 release.
Flexera would like to thank Robert Gilbert (amroot) (https://www.linkedin.com/in/robertgilbert808) for helping to identify the vulnerabilities with the identifiers CVE-2021-41527 and CVE-2021-41528 under a responsible disclosure process.