Updated 2:30 p.m. EST, December 20, 2021
The Apache Software Foundation (ASF) has rolled out another update – version 2.17.0 – for its Java-based open-source logging library Log4j to address a third security vulnerability first discovered December 10, 2021.
In response, N-able engineers have removed the log4j package from the RMM platform. RMM is no longer at risk from this vulnerability or any potential future log4j vulnerabilities. Risk Intelligence has scheduled deployment of patches for 4 a.m. EST December 21, 2021.
Find more details in our latest blog post https://status.n-able.com/2021/12/20/apache-log4j-vulnerability-updated-230-p-m-est-december-20-2021/
Original Post
As you may know, a vulnerability within the Apache Log4j tool was identified on Friday, December 10, 2021 – tracked as CVE-2021-44228. Log4j is a logging framework created by Apache and used widely across the internet. Many, many services are potentially vulnerable to this exploit.
Our Security, Engineering and DevOps teams, under the direction of our CSO, conducted a full impact assessment once the vulnerability was initially identified early Friday morning and found no evidence of successful exploitation. In addition, our internal Red Team completed a deep analysis of our code as well as testing.
N-able can confirm there are no vulnerabilities in these products, as they do not utilize a vulnerable version of Apache Log4j or they may not utilize Apache Log4j at all:
- *N-central
- Backup
- Mail Assure
- MSP Manager
- Passportal
- SpamExperts
- SSO
- Take Control
- N-able Service Desk
Other products:
- RMM:
- We have evaluated risk within RMM and have deployed patches for any vulnerable components as of 4 p.m. EST on December 10, 2021.
- Risk Intelligence:
- We have evaluated risk within Risk Intelligence and have deployed patches for any vulnerable components as of 3:00 a.m. EST on December 15, 2021. Please refer to our latest blog entry (here) for updated information.
* It was initially believed that N-central may have utilized a vulnerable version of Apache Log4j. After further investigation, it was determined that N-central was not vulnerable because N-central only utilizes the Log4j-API component, and not the Log4j-core component. We apologize for any confusion.
Our teams have not found any active exploits of this vulnerability and are confident in the safe use of N-able products. This potential vulnerability remains a top priority for our Security, Engineering and DevOps teams. We continue to monitor for any developments with this evolving industry-wide risk and will re-evaluate for exposure as necessary.
We don’t recommend taking any N-able services offline. Your N-central system is not vulnerable and our RMM platform was patched on December 10. Thank you for your continued patience and understanding.
Additional Links:
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228