Numecent Response to CVE-2021-44228 Apache Log4j Remote Code ExecutionDecember 13th, 2021
Numecent has determined that the recently discovered vulnerability, CVE-2021-44228 does not impact Cloudpaging Server or Cloudpaging CDN.
CVE-2021-44228 is a zero-day vulnerability, publicly released on December 9th, 2021. CVE-2021-44228 has been assigned the highest “Critical” severity rating. This vulnerability would allow an attacker to execute remote code using the JNDI lookup mechanism at the message level. We can confirm that this JNDI lookup mechanism is not present in the implementation of Log4j used by Cloudpaging Server.
In addition, versions of Cloudpaging Server 9.3 and later install with Java 1.8u201 which contains a remote code execution mitigation (also implemented in Java 1.8u121 and later) that prevents access to remote resources using the JNDI URL. Even if the JNDI lookup mechanism were in place, Cloudpaging Server would still be protected.
While there are no vulnerabilities impacting the current implementation of Log4j used by Cloudpaging Server, security is a top concern here at Numecent, and we will be providing an update in 4 days to ensure our customers have the latest Log4j version available.
Numecent will continue to monitor and provide updates to the potential impact of the vulnerability on Numecent managed services and on-premises installations.
Customers can view our Cloudpaging Server - Apache Vulnerability Warnings article for a list of known Apache Tomcat vulnerabilities.
Response to CVE-2021-45046
December 15th, 2021
Numecent has determined that the recently discovered vulnerability, CVE-2021-45046 does not impact Cloudpaging Server or Cloudpaging CDN.CVE-2021-45046 has been assigned a low severity rating. This vulnerability would allow an attacker to craft malicious input data using a JNDI Lookup pattern, resulting in a denial of service (DOS) attack. The vulnerability only applies to non-default configuration using Log4j 2.15.0. Apache has released Log4j 2.16.0, which fixes this new vulnerability.
Cloudpaging Server 9.4.2
December 16th, 2021
While Cloudpaging Server is not affected by the recent CVE vulnerabilities, due to the serious nature of the exploits, Numecent has prepared a software update.
Cloudpaging Server 9.4.2 will be available with the latest Log4j version, 2.16.0, today. This release can be quickly upgraded from previous versions of Cloudpaging Server 9.4. Customers upgrading from versions older than Cloudpaging Server 9.4.0 will need to follow the upgrade note instructions before upgrading Cloudpaging Server to perform any necessary migrations steps.
Cloudpaging Server 9.4.2 Released!
Cloudpaging Server 9.4.2 has been released! This release contains an enhancement to upgrade log4j in Cloudpaging Server and Enterprise Portal to 2.16.0 to alleviate concerns with CVE-2021-44228 and CVE-2021-45046.
Response to CVE-2021-45105
December 20th, 2021
Numecent has determined that the recently discovered vulnerability, CVE-2021-45105 does not impact Cloudpaging Server or Cloudpaging CDN.
This is a denial of service (DoS) vulnerability that applies to versions of Log4j from 2.0-beta9 to 2.16.0. This vulnerability only applies to logging configurations that use a non-default Pattern Layout with a Context Lookup. When successfully exploited this could allow attackers with control over Thread Context Map (MDC) input data to craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError which will terminate the process. Cloudpaging Server does not use Context Lookups in the Pattern Layout, so by default Cloudpaging Server is not affected.
Ability to update Log4j using Cloudpaging Server 9.4.2!
December 21st, 2021
Along with the update to Log4j 2.16.0, the ability to update Log4j manually has been added in Cloudpaging Server 9.4.2. While the recently reported vulnerabilities have not affected Cloudpaging Server, Numecent recommends keeping Log4j up to date with the latest patch version available from Apache to ensure Cloudpaging Server remains secure. For instructions on updating Log4j, please see our
How to update Log4j 2 to the latest version article.
Note that the ability to manually update Log4j is expected to be released in Cloudpaging Server 9.5.1 along with the newest version of Log4j.
Response to CVE-2021-44832
January 3rd, 2022
Numecent has determined that the recently discovered vulnerability, CVE-2021-44832 does not impact Cloudpaging Server.
CVE-2021-44832 is a remote code execution (RCE) vulnerability that applies to versions of Log4j2 starting with 2.0-beta7 to 2.17.0 and is fixed in Log4j2 version 2.17.1. These versions of Apache Log4j2 are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. Cloudpaging Server does not use the JDBC Appender and except for Cloudpaging Server 9.4.2, the version of log4j used in Cloudpaging Server is not affected by the vulnerability so by default Cloudpaging Server is not affected.
Cloudpaging Server 9.4.2 uses Log4j 2.16.0, and it can be vulnerable if an attacker is able to obtain write permission to the log4j configuration file. Numecent recommends that all customers using Cloudpaging Server 9.4.2 update the Log4j2 binaries to version 2.17.1 to remain secure. Please follow our How to Update Log4j 2 to the latest version article for instructions.