CVE-2021-44228/CVE-2021-45046/CVE-2021-45105: Apache Log4j Security Vulnerabilities Update
A critical vulnerability for Log4J was publicly disclosed on Dec. 10, 2021. The Cradlepoint incident response team investigated, identified and patched vulnerable versions of Log4J in its cloud services. NetCloud OS (NCOS) does not use java, thus, Cradlepoint devices are unaffected by the Log4J vulnerabilities.
Problem description: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. A new CVE (CVE-2021-45046) was raised for this. An unauthenticated remote code execution vulnerability (CVE-2021-44228) has been disclosed in Log4j which is a widely used Java-based logging framework. Additionally, CVE-2021-45105 was published to address the fact 2.16 did not protect from uncontrolled recursion from self-referential lookups. Details about the vulnerability are as follows:
- CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.
- CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups.
- CVE-2021-45046 Base CVSS Score: 3.7
- CVE-2021-44228 Base CVSS Score: 10.0
- CVE-2021-45105 Base CVSS Score: 7.5
Original advisory: Log4j – Apache Log4j Security Vulnerabilities
Update on actions from Cradlepoint: Cradlepoint Security Team is continuously analyzing our portfolio for potential impact as new reports of vulnerable third-party components become available from our vendors. In addition, our product development teams continue their proactive assessment of products and dependencies to confirm impact.
We are working with all product development units as new information becomes available to analyze any impact and confirm potential workarounds and fixes. At this time all identified affected versions of Log4J have been upgraded to non-vulnerable versions.
Contacts: Cradlepoint Security Team firstname.lastname@example.org