cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228)

cvirata
Revenera Community Admin Revenera Community Admin
Revenera Community Admin
6 45 22.3K

UPDATE: Revenera’s response to Apache Log4j vulnerabilities CVE-2021-45105, CVE-2021-45046, CVE-2021-44228, and CVE-2021-4104

(as of 14-Jan 10:20 CST)

A critical vulnerability in Apache Log4j 2 impacting versions from 2.0-beta9 to 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.

Revenera is expanding its product impact assessment and mitigation information to include CVE-2021-45105, CVE-2021-45046CVE-2021-44228, and CVE-2021-4104. This notice provides currently available information about the potential impact of these vulnerabilities on Revenera products. 

 

NOTE: Be advised this is an ongoing assessment. Information about related and subsequent Log4j CVEs not listed below may be found in the product's respective knowledge base. 

 

Information about Flexera products: Flexera’s response to Apache Log4j remote code execution vulnerability CVE-2021-4104, CVE-2021-45046 and CVE-2021-44228

Revenera Product Assessment

Product

Potential Exposure to CVE-2021-44228

Potential Exposure to CVE-2021-45105, CVE-2021-45046

Potential Exposure to CVE-2021-4104

Potentially Exposed Components or Versions

Fixed Version

Mitigation

InstallShield

No

No

No

N/A

N/A

KB Article

InstallAnywhere

No

No

No

N/A

N/A

KB Article

Code Insight

No

No

No

N/A

N/A

KB Article

Code Aware (independent of Code Insight)

No

No

No

N/A

N/A

KB Article

FlexNet Operations Cloud ALM

Yes

Yes

Yes

Revenera managed services:

  • Core module
  • Updates and Insights
  • Data Access APIs

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046, CVE-2021-4104: 2022.02

UAT: Upgraded to Log4j 2.17.0 (22-Dec)

PROD: Upgraded to Log4j 2.17.0 (23-Dec)

FlexNet Operations Cloud LLM

No

No

Yes

Core module

CVE-2021-4104: 2022.02

 

FlexNet Operations On-Premises

Yes

Yes

Yes

Core module

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046: 2021 R1 Hotfix

CVE-2021-4104: Pending

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046

FlexNet Embedded

Yes

Yes

Yes

FlexNet License Server Manager (FLSM)

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046: 2021.12.2 (or later)

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046

CVE-2021-4104 

FlexNet Publisher

Yes

Yes

No

2021 R4 (11.18.3.0), only when using lmadmin alerts example code

2021 R4 SP1 (11.18.3.1)

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046

FlexNet Connect

No

No

No

N/A

N/A

KB Article

Usage Intelligence

Yes

Yes

No

Java SDK

5.6.1

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046

Compliance Intelligence

Yes

Yes

No

RDS (Revenera managed service)

PROD: Upgraded to Log4j 2.17.0 (20-Dec)

N/A

 

Related Information:

Apache Security Site for CVE severity, score, and vector string: https://logging.apache.org/log4j/2.x/security.html

CVE-2021-44228:

CVE-2021-4104:

CVE-2021-45046:

CVE-2021-45105:

Change Log

2022-01-14 10:20 CST: Updated FNO impact assessment and added index link to related CVEs.

2022-01-10 12:28 CST: Added KB link to FlexNet Publisher Log4j index.

2022-01-10 11:38 CST: Added note on where to find info on subsequent KBs and KB link to FlexNet Embedded Log4j index.

2021-12-30 16:01 CST: FlexNet Operations 2021 R1 On-Premises hotfix announced.

2021-12-30 15:27 CST: Updated Code Aware product assessment to 'No' for listed vulnerabilities. 

2021-12-30 13:19 CST: Usage Intelligence 5.6.1 fix available. Added download link. 

2021-12-28 13:29 CST: Added impact KB article for FlexNet Connect.

2021-12-24 20:20 CST: FLSM patch 2021.12.2 available on PLC. 

2021-12-24 20:08 CST: Updated Code Insight product assessment. 

2021-12-23 16:20 CST: Added target date for FLSM patch 

2021-12-23 15:48 CST: Product assessment updates for (InstallShield, InstallAnywhere, Code Insight, FlexNet Operations Cloud LLM, FlexNet Publisher, FlexNet Connect, and Compliance Intelligence). FlexNet Operations Cloud ALM components upgraded to Log4j 2.17.0. 

2021-12-22 ‎11:45 CST: Updated FlexNet Operations Cloud ALM with deployed fix in UAT. Open to customer testing. Fix deployment to Production pending.

2021-12-20 ‎13:30 CST: Updated Compliance Intelligence Fix Version column.

2021-12-17 13:12 CST: Updated KB article titles under Mitigation column to the respective CVE.

2021-12-17 11:50 CST: Security Advisory updated for CVE-2021-4104 and CVE-2021-45046. Assessments pending.

2021-12-16 10:25 CST: Updated FlexNet Operations On-Premises with mitigation steps in linked KB Article.

2021-12-16 9:14 CST: Updated InstallShield and InstallAnywhere potential exposure to 'No' based on Code Insight assessment.

2021-12-15 13:57 CST: Updated Standalone Code Insight potential exposure to 'No'. Linked KB article mitigation steps.

2021-12-15 10:22 CST: Linked mitigation KB article to InstallShield and InstallAnywhere assessments.

2021-12-14 14:30 CST: Updated FlexNet Connect potential exposure to 'No'.

2021-12-14 12:12 CST: Updated Code Insight potential exposure to 'No'. Published additional mitigation steps in linked KB article.

2021-12-14 10:35 CST: Added link to FlexNet Publisher mitigation steps KB article.

2021-12-13 23:17 CST: Added exposure clarification for InstallShield and updated mitigation steps.

2021-12-13 23:04 CST: Added exposure clarification for InstallAnywhere. 

2021-12-13 18:31 CST: Initial Revenera product assessment details published. 

2021-12-11 19:16 CST: Initial security advisory.


INITIAL SECURITY ADVISORY (Dec 11, 2021 05:16 PM):

As you may be aware, a vulnerability was discovered in the Log4j Java library, potentially allowing attackers to take control of systems and execute malicious commands. For more detailed information about the vulnerability, please see the following resources:

Revenera is actively working with our product teams to review Software Composition Analysis scans of our products to determine the impact, if any, on our solutions. We appreciate your patience and understanding, and we will provide an update once more information about affected products and remediation plans are confirmed.

45 Comments
uzihabaz
Level 2

Hi,

Is there any update on this please ?

Thanks,

UZI HABAZ
Delivery Infrastructure Expert

(T) +972 (9) 775-2425
(M)+972 (522)-434419

uzi.habaz@nice.com
www.nice.com

jefflaing
Level 4

Our current mitigation strategy for this has been to put a complete block on ALL outgoing network access from our FNO server, with a specific exemption for SMTP access to our mail server.  So, no http to google, no ntp, etc.

Given that this is a single-purpose server, are there any other outgoing connections that an FNO server might need to have whitelisted?

madhug
Level 5

can you please let us know affecting products, we are using Installshield and Installanywhere .

virginial
Level 2

Hi,

Can we please get an update to this advisory and details on all affected products, is Code Insight impacted?

Thanks, 

 

rick_jansen
Level 2

Hello, We would also like to know if Code Insight is impacted.

pauli_tuominen
Level 2

@jefflaing If you block outgoing connections, in the long term it could be great if FNO gets it license renewed from Flexera servers. 

maxhenselnonse
Level 2

Hi,

looks like if the local license server (FlexNet Embedded) uses the log4j libraries. Even in the latest version of the lls:

 

log4j.JPG

zellis_sp
Level 2

Could we please get an update if InstallAnywhere and InstallShield packaged product is vulnerable.

pdl_stsrd_lice
Level 3

@maxhenselnonse:
To me this looks like version 1.2.17 is used for the FNE LLS. But according to the CVE only versions from 2.0 to 2.14.1 are affected? Can someone confirm this?

rick_jansen
Level 2

Hi all, When I check our Code Insight installation I see log4j-core 2.11.1 in the tomcat directory (/tomcat/webapps/codeaware/WEB-INF/lib/log4j-core-2.11.1.jar) so I would presume it's used in our installation. Is there a good and advised way to mitigate this?

meihee
Level 2

Please keep us in the loop, we are looking for patch soon.  -Mei

dgstangel
Level 3

We also need an update from Revenera on Code Insight (both 6.x and 7.x versions), as we need to respond to IT and Cyber Security inquiries on these applications.

jrubin1
Revenera
Revenera

Thank you everyone for your patience as we assess the impact and remediation plan for this vulnerability as it relates to the Code Insight product. One piece of information that we were able to confirm is that the following Code Insight v6 configurations are definitely not impacted:

1. Code Insight v6 instances that are used for Workflow only, without scanning.

2. Code Insight v6 instances that are configured to scan using Analyzer instead of CodeAware.

If you have one of these configurations in your environment, remediation is not necessary. Note: other configurations are also potentially not impacted, but we are waiting for confirmation from Engineering to be able to tell you for sure.

cc: @dgstangel@meihee 

dong_zhipeng
Level 2

For IA2018, does it mean that we are not effected if we're not using CodeAware?

madhug
Level 5

what is CodeAware and how it affects Installshield and Installanywhere products, can someone please shed some light on it.

cvirata
Revenera Community Admin Revenera Community Admin
Revenera Community Admin

@dong_zhipeng - if you are not using the CodeAware feature or are using any other version of InstallAnywhere, you are not impacted.

cvirata
Revenera Community Admin Revenera Community Admin
Revenera Community Admin

@madhug - InstallShield 2016 SP2, InstallShield 2018, and InstallAnywhere 2018 have included an additional module - Codeaware to scan for Open Source components included in your project. This is a separate menu item in Project menu (for InstallShield) or Build menu (for InstallAnywhere) which invokes a wizard for scanning. This module has to be explicitly invoked and is not automatically invoked during launch of InstallShield/InstallAnywhere or building projects using IDE or Standalone Build.

pierre_olsson
Level 2

I see certain product here are mentioned with an attached version, Flexnet Publisher for example. 11.18.3.0 is stated here, shall we regard only this specific version potentially affected? Shall we regard all 11.18 versions affected for example? 

mkulvietis
Level 2

What we did for Flexnet Operations on-premise 2018 R1:


* delete JndiLookup.class from all log4j-core-*.jar's

* Enabled AWS WAF "known bad inputs" now contains lo4jrce

cseipel
Level 2

It seems that version 1.x is also vulnerable under certain circumstances:

https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126

 

paul_hesp
Level 2

Hi

We use InstallAnywhere 2020 Build 6318 to package our software for installation on Windows and Linux.  Can you confirm that any installer packages generated with this will not contain the log4j issue please?

jholcomb
Level 3

Version 2.16.0 of Log4j has been released.

mrathinam
Revenera Moderator Revenera Moderator
Revenera Moderator

Hi @pierre_olsson for FNP, all the versions are affected however the issue is fixed for 11.8.3.0 and we have already released 11.18.3.1 in the PLC. For older versions of FNP other than 11.8.3.0, customers can update the log4J to the latest version which is like 2.15 or 2.16. 

mrimon
Level 3

Will this tracker get updated? We are waiting on the FlexNet License Server Manager (FLSM) Flexnet Embedded update

cvirata
Revenera Community Admin Revenera Community Admin
Revenera Community Admin

@mrimon - this tracker is being updated as new information is available. A fix version has not yet been finalized, however there is a KB article with mitigation steps: CVE-2021-44228: Log4j vulnerability impact on FlexNet Embedded 

rwrnad
Level 2

Hi @cvirata,

Please can you confirm whether InstallAnywhere 2017 is impacted by the Log4j Java Vulnerability?

cvirata
Revenera Community Admin Revenera Community Admin
Revenera Community Admin

@rwrnad - Only InstallAnywhere 2018 is impacted by the log4j vulnerability. Please see the published InstallAnywhere KB Article related to this for more information: https://community.flexera.com/t5/InstallAnywhere-Knowledge-Base/CVE-2021-44228-Log4j-vulnerability-impact-on-InstallAnywhere/ta-p/217660/

jholcomb
Level 3

Is there any sort of update on when we can expect a patch for FlexNet Operations On-Premises? We have had to take this server offline and it is affecting our ability for customers to activate their licenses.

cvirata
Revenera Community Admin Revenera Community Admin
Revenera Community Admin
jholcomb
Level 3

@cvirata- These look to be directions for a Linux install - what is the process for a Windows installation?

Also, will 2018 R1 be patched?

Edit: I understand the removal of the JndiLookup.class but the PatternLayout change is not clear.

jholcomb
Level 3

@mkulvietis - the KB article mentions "Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true" - have you done that? I'm not sure if that's done in the System variables for Windows or if that is set on the command line for running FNO.

jholcomb
Level 3

We've applied logj4 2.16 to FNO 2018 R1 and initial testing seems to work ok - has anyone else done this?

jefflaing
Level 4

@jholcomb can I ask what you mean by "applied log42.16" ?  On our machine (which uses a local Oracle instance as well), I saw these:

CC:\>dir/s/b log4j-core*.jar
C:\...\components\wildfly\standalone\deployments\flexnet.ear\flexnet.war\WEB-INF\lib\log4j-core-2.8.2.jar
C:\...\components\wildfly\standalone\tmp\vfs\deployment\deployment9f482d6c0bf06bb1\log4j-core-2.8.2.jar-52f20d693b
caaa99\log4j-core-2.8.2.jar
C:\...\release\flexnet.ear\flexnet.war\WEB-INF\lib\log4j-core-2.8.2.jar
C:\...\webapp\WEB-INF\lib\log4j-core-2.8.2.jar
C:\...\Oracle\...\12.2.0\dbhome_1\ccr\lib\log4j-core.jar
C:\...\Oracle\...\12.2.0\dbhome_1\md\jlib\log4j-core-2.9.1.jar
C:\...\Oracle\...\12.2.0\dbhome_1\oui\jlib\jlib\log4j-core.jar
C:\...\Oracle\...\12.2.0\dbhome_1\sysman\jlib\ocm\log4j-core.jar
C:\...\Oracle\...\PatchTop\27849056\27849056\files\md\jlib\log4j-core-2.9.1.jar

 

Did you replace all instances of the 2.8.2 file with a 2.16 file, or just their contents?  (ie, did your filenames remain the same?  And did you need to do Oracle as well, or are you running a different database (or against a remote instance)

At this point in time, I'm still leaning towards the "remove the JndiLookup.class from any .jar I find it in" approach

jholcomb
Level 3

@jefflaing

Initially we did the "remove the JndiLookup.class" fix and another fix but figured out how to replace the log4j files. There were 4 and we tested it last night and all seems to be well. We're running MS SQLServer.

We've done this to a test server and tomorrow am I'll write this up and we want to do the production server tomorrow, we've disabled internet access to it and it's been unavailable to our customers for a week now. I'll post the write-up as soon as I'm finished.

Jim

jefflaing
Level 4

@jholcomb 

Did you do a full re-deploy of the software, or just hit all the .jar files in-situ?

We only blocked outgoing connections from our license server so incoming activation requests still work fine - our customers should not be affected.  Since the exploits all rely on external access, this seemed like a reasonable compromise - the only port we needed to open was SMTP which is still locked to a fixed server that we control.

pauli_tuominen
Level 2

@jefflaing @jholcomb 

Have you noticed that new version 2.17.0 has been released as 2.16.0 has a new vulnerability.
https://logging.apache.org/log4j/2.x/security.html

I have removed JndiLookup.class from all log4j-core files and it seems a good solution so far. But now I wonder if Flexnet Operations is vulnerable to new CVE-2021-45105

It seems that FNO is not using Context Lookup (like ${ctx:loginId}) in log4j configuration by default and so it should not be vulnerable, but I'm no log4j expert, perhaps Flexera knows better.

Pauli

jholcomb
Level 3

@pauli_tuominen, @jefflaing

Use at your own risk, this is what we tested over the weekend but now we'll have to test with 2.17. I looked at removing outbound internet access but we have this server at AWS and didn't want to break communications with any of their stuff.

We were at version 2.8.2 of log4j. For any paths below I'm referring to Log4j locations on my FNO 2018 R1 Windows server. I'd search your server for where they may be squirreled away. On Windows I love using AgentRansack for searches.

** Installing 2.16 **

https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html

Locations on my server:

C:\Program Files\FlexNet Operations\components\wildfly\standalone\deployments\flexnet.ear\flexnet.war\WEB-INF\lib\

C:\Program Files\FlexNet Operations\release\flexnet.ear\flexnet.war\WEB-INF\lib\

Stop FlexNet services, apply the updates, and reboot.

** Removing JndiLookup.class from the classpath: **

$ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

For this I used 7-Zip to open all the log4j-cor*.jar files mentioned above , navigated to org/apache/logging/log4j/core/lookup and deleted JndiLookup.class

** PatternLayout fix **

Edited Log4j2.xml in the locations below:

C:\Program Files\FlexNet Operations\release\flexnet.ear\flexnet.war\WEB-INF\classes

C:\Program Files\FlexNet Operations\components\wildfly\standalone\deployments\flexnet.ear\flexnet.war\WEB-INF\classes

Change the PatternLayout line to read:

      <PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg{nolookups}%n"/>

 

jholcomb
Level 3

I found another xml file that I suspect needs to be patched:

C:\Program Files\FlexNet Operations\release\flexnet.ear\flexnet.war\WEB-INF\classes\flexnet-log4j.xml

<PatternLayout pattern="%m{nolookups}%n"/>

jefflaing
Level 4

Thanks @jholcomb 

On our 2018R1 server, I found the following candidates:

c:\app>dir/s/b log4j*.xml
c:\app\FlexNetOperations\components\tomcat\webapps\flexnetsetup\WEB-INF\classes\log4j.xml
c:\app\FlexNetOperations\components\wildfly\modules\system\layers\base\com\flexnet\log4j\main\log4j2.xml
c:\app\FlexNetOperations\components\wildfly\standalone\deployments\flexnet.ear\flexnet.war\WEB-INF\classes\log4j2.xml
c:\app\FlexNetOperations\components\wildfly\standalone\tmp\vfs\temp\tempebc2bb9933e7168d\lfs.war-93bcb86ee815389e\WEB-INF\classes\lo
g4j-default.xml
c:\app\FlexNetOperations\components\wildfly\standalone\tmp\vfs\temp\tempebc2bb9933e7168d\lfs.war-93bcb86ee815389e\WEB-INF\classes\lo
g4j.xml
c:\app\FlexNetOperations\release\flexnet.ear\flexnet.war\WEB-INF\classes\log4j2.xml
c:\app\FlexNetOperations\release\jbossConfig\flexnet\log4j\main\log4j2.xml
c:\app\FlexNetOperations\webapp\WEB-INF\classes\log4j2.xml

some of which are not PatternLayout definitions.

---------- C:\APP\FLEXNETOPERATIONS\COMPONENTS\TOMCAT\WEBAPPS\FLEXNETSETUP\WEB-INF\CLASSES\LOG4J.XML
<param name="ConversionPattern" value="%d{ISO8601} %-5p [%c{2}] [%t] %m%n" />

but which look they may need similar attention - I would take a good look at pretty much any .xml file that contains "%m"

jholcomb
Level 3

Thanks @jefflaing , I'll go hunting again!

Edit: I checked and all I have is the two files.

Edit 2: I had a date filter and found a bunch more.  It's still early here...

sellis
Level 2

Is it possible to get an update on the usage intelligence SDK please. My own examination of the jar file that is incorporated into products suggests it does contain Log4j 2.x, but it looks like a stripped down version that doesn't include Jndi functionality and so may not be vulnerable to these issues.

cvirata
Revenera Community Admin Revenera Community Admin
Revenera Community Admin

Hello @sellis -

In keeping with the guidance of our security team, we are working on upgrading to the latest recommended Log4j version (2.17.0). Subject to any issues during testing, we plan to have this available by the end of next week.

pauli_tuominen
Level 2

Hello 

are there any news about new vulnerability CVE-2021-44832? Apache has released new jar 2.17.1.

In Flexnet operations there is at least one log entry using JDBC Appender in file 

C:\Program Files\FlexNet Operations\release\flexnet.ear\flexnet.war\WEB-INF\classes\flexnet-log4j.xml

<DataSource jndiName="java:/jdbc/FLEXnetDataSource" />

But that datasource is using java protocol, which should be safe, it it so that FNO is not affected by CVE-2021-44832?

Pauli

 

 

 

mrathinam
Revenera Moderator Revenera Moderator
Revenera Moderator

Hi @pauli_tuominen Thanks for the information about CVE-2021-44832 new vulnerability, let me check for more details and come back as soon as possible about the impact of this  CVE-2021-44832. 

Best Regards,

mrathinam
Revenera Moderator Revenera Moderator
Revenera Moderator

Update: 31/Dec/2021:
FNO Onprem 2021.R1 Log4j version has been upgraded to 2.17.0 and 2021_R1_HotFix_log4j_Upgrade_2.17_and_SWM-9817.zip is now available in the  Product and License Center.
Note: The same will be updated in the document soon.