General Information
The vulnerability described by CVE-2021-44228 is a critical vulnerability in the log4j2 logging framework. This vulnerability is straight-forward to exploit if a user can affect log output and has the potential for remote code execution within affected applications. At the time of this writing, log4j2 versions 2.0 – 2.14.1 have been found to be vulnerable, and log4j1 has not been found to be exploitable by this vulnerability.
A similar vulnerability for log4j1 is described by CVE-2021-4104. This vulnerability can be exploited if a user can modify log configuration and has the potential for remote code execution within affected applications.
Are On-Premises Variphy Applications affected?
On-premises Variphy applications (Variphy Insight) are currently using log4j1 version 1.2.17. The Variphy Engineering Team does not believe on-premises Variphy applications are vulnerable to exploitation by CVE-2021-44228 or CVE-2021-4104 in their default configuration.
If the default logging configuration has been modified to enable the JMS Appender functionality, remote code execution may be possible. You can check if you are vulnerable by inspecting the log4j configuration file found within the Variphy application installation directory:
<installation-dir>/app/tomcat/webapps/insight/WEB-INF/classes/log4j.xml
For example, on Windows, the path might be:
C:\Program Files\Variphy Insight\app\tomcat\webapps\insight\WEB-INF\classes\log4j.xml
For example, on Linux/Variphy OVA, the path might be:
/opt/variphy/apps/insight/app/tomcat/webapps/insight/WEB-INF/classes/log4j.xml
If no lines contain org.apache.log4j.net.JMSAppender, your Variphy application does not have the specific vulnerable configuration.
How can I mitigate this vulnerability?
If you are using JMSAppender functionality within your logging configuration, we recommend you mitigate the vulnerability as soon as possible by temporarily disabling any configured appenders utilizing org.apache.log4j.net.JMSAppender by commenting out the relevant lines in the log4j configuration file and restarting the Variphy application.
Are Variphy Cloud Applications affected?
All affected Variphy Cloud Applications were patched to mitigate CVE-2021-44228 on December 10, 2021. At this time, the Cloud Operations Team has not found evidence of this vulnerability being exploited within Variphy Cloud.
Variphy Cloud applications are not affected by CVE-2021-4104.
Are there plans for the Variphy application to upgrade to log4j2?
The Variphy Development Team has decided to move to log4j2 version 2.17.1 in Variphy Insight version 12.4.1.
More Information on this Vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://access.redhat.com/security/cve/CVE-2021-4104
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
