Summary
A high severity (CVSS score 8.1) vulnerability in Apache Log4j 1.2 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-4104. This Apache Log4j component is included in in the RISC Platform releases prior to SAAS-2021-12-29.
Additionally, two vulnerabilities with the identifiers CVE-2021-41527 and CVE-2021-41528 related to the User Interface have been addressed.
This article describes the potential impact of the vulnerabilities on the RISC Platform.
Vulnerability descriptions
The National Vulnerability Database describes the CVE-2021-4104 vulnerability at https://nvd.nist.gov/vuln/detail/CVE-2021-4104 as follows (current as of Jan 20, 2022):
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.
An error related to the 2-factor authorization (2FA) can potentially be exploited to bypass the 2FA. The vulnerability requires that the 2FA setup hasn’t been completed.
An error when handling authorization related to the import / export interfaces can potentially be exploited to access the import / export functionality with low privileges.
Mitigation options
Additional information
Flexera would like to thank Robert Gilbert (amroot) (https://www.linkedin.com/in/robertgilbert808) for helping to identify the vulnerabilities with the identifiers CVE-2021-41527 and CVE-2021-41528 under a responsible disclosure process.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.