Apache Log4j Vulnerability – Updated 12 p.m. EST, December 15, 2021

Updated 2:30 p.m. EST, December 20, 2021

The Apache Software Foundation (ASF) has rolled out another update – version 2.17.0 – for its Java-based open-source logging library Log4j to address a third security vulnerability first discovered December 10, 2021.

In response, N-able engineers have removed the log4j package from the RMM platform.  RMM is no longer at risk from this vulnerability or any potential future log4j vulnerabilities.  Risk Intelligence has scheduled deployment of patches for 4 a.m. EST December 21, 2021.

Find more details in our latest blog post https://status.n-able.com/2021/12/20/apache-log4j-vulnerability-updated-230-p-m-est-december-20-2021/

Updated December 15, 2021:

We have evaluated risk within Risk Intelligence and have deployed patches for any vulnerable components as of 3:00 a.m. EST on December 15, 2021.

Please refer to our latest blog entry (here) for updated information.

Updated December 13, 2021:

It was initially believed that N-central may have utilized a vulnerable version of Apache Log4j. After further investigation, it was determined that N-central was not vulnerable because N-central only utilizes the Log4j-API component, and not the Log4j-core component. We apologize for any confusion.

Please refer to our latest blog entry (here) for updated information.

Original Post:

As you may know, a vulnerability within the Apache Log4j tool has been identified – tracked as CVE-2021-44228. Log4j is a logging framework created by Apache and used widely across the internet.

Our Security, Engineering and DevOps teams, under the direction of our CSO, have been conducting a full impact assessment since the vulnerability was initially identified early today, and they have found no evidence of successful exploitation. In addition, our internal Red Team has done deep analysis of our code as well as testing this vulnerability, and has found that exploitation would be difficult for any attacker. 

At this time, our analysis shows the following:

  • Not vulnerable:
    • N-central
    • Backup
    • MSP Manager
    • Take Control
    • Passportal
    • Mail Assure
  • RMM:
    • We have evaluated risk within RMM and have deployed patches for any potentially vulnerable components.
  •  Risk Intelligence:
    • Running a vulnerable version of Apache log4j
    • We are actively working on a patch and will update when we have more information.

We are continuing to conduct solution-wide assessments and will provide updates as soon as they become available.

Additional Links:

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Huntress blog: https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java?fbclid=IwAR3l_cGEQBoJrCuDelzL4m_8l-uyzDePYPsFF0wiOcM7WlAeT35ahqw9gR8

This entry was posted in Backup & Recovery, Mail Assure, MSP Anywhere, MSP Remote Monitoring & Management, N-central, Passportal, Risk Intelligence, Security Notices. Bookmark the permalink.