English (US) Français 日本語 한국어 Português
Login/Register
 
 
Back to top
 
Other links
 
  1. Persistent Support
  2. Accelerite Support Announcements
  3. Radia Announcements
 
 

Radia Customer Advisory: Apache Vulnerability | Log4j2 (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)

In response to the recently published Zero Day vulnerability, related to CVE-2021-44228 affecting Log4j. To make it working to ascertain the nature and severity of the proposed vulnerabilities reported and its effects on the Radia End-point Management product (also known as Sentient).

Summary:

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

How will this impact Radia Operations?

Radia uses log4j in its java modules for Console-UI and logging purposes. All the Radia Wildfly modules are therefore impacted by this CVE.

Radia instances which are internet facing are impacted and require a hotfix.

When can we have this hotfix?

While we are working on releasing the Hotfix as soon as possible, meanwhile our team is also exploring and testing the mitigation steps. 

 

New updates: Hotfix for 2.17.0

Hotfix for 2.16.0

Update on 15th Dec-2021:
There is a new CVE reported CVE-2021-45046, which is addressed in v2.16. https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Work has started on upgrading Log4j to v2.16 with a new hotfix and hence the ETA is revised to be 19th December.

Updated on 20th Dec-2021
The hotfix is available for v2.16.0 upgrade, please find details of hotfix in below link.

https://support.accelerite.com/hc/en-us/articles/4416819788685-WININFRA1000-QCCR1C61151-log4j-version-upgrade-to-2-16-0

There is a new updated hotfix available now, please see below for updates.

 

Updated on 21st Dec-2021:

A high severity vulnerability (CVE-2021-45105) has been detected in Log4j versions up to v2.16.0:

https://logging.apache.org/log4j/2.x/security.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

 

Updated on 24th Dec-2021:

The hotfix to upgrade log4j to v2.17.0 is now available and can be downloaded. Please follow the link for hotfix download and instructions.

https://support.accelerite.com/hc/en-us/articles/4417525157517-WININFRA1000-QCCR1C61173-log4j-upgrade-to-version-2-17-0 

 

Updated on 4th Jan-2022:

The hotfix to upgrade log4j to v2.17.1 is now available and can be downloaded. Please follow the link for hotfix download and instructions.

https://support.accelerite.com/hc/en-us/articles/4418645410573 

 
Created By : Pankaj Paliwal -

Comments