Skip to main content

Apache Log4j2 RCE vulnerability (CVE-2021-44228)

Signicat is aware of and has acted on the security vulnerability in the open-source Apache Log4j2 utility (NVD - CVE-2021-44228).

Last updated on 22.12.2021 @ 14:45 CET

The log4j vulnerabilities have been seen in both inhouse and third party software used in our various environments. Ease of exploitation and public exploitation knowledge has increased the priority of applying patches and mitigations as soon as possible.

Third party products have been patched with vendor patches. Inhouse developed software is at a minimum on software version 2.16.

Source code analysis of the attack vectors for CVE-2021-45105 (denial of service) has not revealed any vulnerable services and therefore the upgrade to version 2.17 is not seen as necessary at this moment. However we continue to monitor the situation closely and software packages utilizing log4j version 2.17 are ready to deploy at a moment’s notice, if needed.

Signicat has also kept track of the patch status of third party service providers. The response has been swift and no security impact has been seen on service provider’s or Signicat services in the service provider environments.

No signs of compromise have been detected in Signicat or third party service provider environments.

Update 16.12.2021 @ 10:34 CET

Signicat production systems have been patched, mitigated, or were not affected. There is still work in progress for internally used software and components where we are awaiting patches and status from some vendors, but the majority are patched, mitigated, or not affected.

We have been monitoring attempts of exploitation of the vulnerability, and after the news from ZDNet.com we have broadened our search to look for attempts also before 2021-12-01. Our investigation shows that the earliest attempts of exploitation towards Signicat systems was 2021-12-09T23:22, with no sign of successful exploitation. We are still monitoring and following the situation.

We are currently assessing and acting on the new Apache Log4j vulnerability (CVE-2021-45046), where the mitigations of CVE-2021-44228 was incomplete.

Current result of Signicat’s investigation of production systems that use Log4j2:

  • Signicat Enterprise SaaS products
  • Signicat Enterprise monitoring system
  • Signicat Enterprise hosting provider backup service
  • Signicat Identity Broker
  • Signicat eHerkenning Broker
  • Signicat MyOwnIDP / CIAM
  • MySignicat / MyConnectis
  • Signicat Dokobit monitoring system
  • Signicat Dokobit HSM service