Apache Log4j Vulnerability

Updated 2:30 p.m. EST, December 20, 2021

The Apache Software Foundation (ASF) has rolled out another update – version 2.17.0 – for its Java-based open-source logging library Log4j to address a third security vulnerability first discovered December 10, 2021.

In response, N-able engineers have removed the log4j package from the RMM platform.  RMM is no longer at risk from this vulnerability or any potential future log4j vulnerabilities.  Risk Intelligence has scheduled deployment of patches for 4 a.m. EST December 21, 2021.

Find more details in our latest blog post https://status.n-able.com/2021/12/20/apache-log4j-vulnerability-updated-230-p-m-est-december-20-2021/

Updated December 13, 2021:

It was initially believed that N-central may have utilized a vulnerable version of Apache Log4j. After further investigation, it was determined that N-central was not vulnerable because N-central only utilizes the Log4j-API component, and not the Log4j-core component. We apologize for any confusion.

Please refer to our latest blog entry (here) for updated information.

Original Post:

As you may know, a vulnerability within the Apache Log4j tool has been identified – tracked as CVE-2021-44228. Log4j is a logging framework created by Apache and used widely across the internet.

Our Security, Engineering and DevOps teams, under the direction of our CSO, have been conducting a full impact assessment since the vulnerability was initially identified early today, and they have found no evidence of successful exploitation. In addition, our internal Red Team has done deep analysis of our code as well as testing this vulnerability, and has found that exploitation would be difficult for any attacker. 

At this time, our analysis shows the following:

  • N-able N-central:
    • Running a vulnerable version of Apache log4j
    • Engineering teams are actively working on a hotfix and are targeting to have the fix ready by tomorrow, December 11, for on-premises partners. When the hotfix is ready, we will conduct a code drop for NCOD instances. We will update all N-central customers when it is available.
  • N-able RMM:
    • We have evaluated risk within RMM and have deployed patches for any potentially vulnerable components.
  •  Risk Intelligence:
    • Running a vulnerable version of Apache log4j
    • We are actively working on a patch and will update when we have more information.

At this time, we don’t recommend taking N-central or RMM offline; we believe this vulnerability is difficult to exploit due the architecture of our platforms and single-sign-on protection. Our support team is available to work directly with any partners who have concerns or need additional assistance.

We are continuing to conduct solution-wide assessments and will provide updates as soon as they become available.

Additional Links:

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Huntress blog: https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java?fbclid=IwAR3l_cGEQBoJrCuDelzL4m_8l-uyzDePYPsFF0wiOcM7WlAeT35ahqw9gR8

This entry was posted in MSP Remote Monitoring & Management, MSP Remote Monitoring & Management service updates, N-central, Risk Intelligence, Risk Intelligence service updates, Security Notices. Bookmark the permalink.