- MITRE has labelled the vulnerability as CVE-2021-44228 and assigned it the highest CVSS score (10.0).
- This vulnerability can give an attacker full control of any impacted system.
- In addition, the Apache Foundation has disclosed two other vulnerabilities (CVE-2021-45046 and CVE-2021-45105) that could allow a denial of service attack against the impacted system.
- The appronto.cloud hosting platform is not exposed
- Boomi is not exposed
- The Solace Pubsub+ message broker software is not exposed
- The Solace Pubsub+ Cloud console is not exposed
- The Appronto Datadog monitoring solution is not exposed
- We recommend that customers who host Boomi themselves
- Check the Boomi servers for vulnerabilities
- Upgrade the Boomi JRE to a recent version of Java 8 or Java 11. Appronto is happy to help customers with this upgrade.
- Furthermore, we highly recommend you check your entire infrastructure on possible vulnerabilities by using Log4J. Click here for scripts so customers if you want to check your own systems: Northwave Security, Powershell Checker en Log4shell detector.
** Details **
Upon investigation by Boomi, Boomi was able to assess the impact of the Log4j vulnerability as below.
- AtomSphere Platform is not vulnerable. No customer action is required.
- AtomSphere Public Cloud Atom and MDH are not vulnerable. No customer action is required.
- AtomSphere Local Atoms and APIM are not vulnerable. No customer action is required.
- Boomi Flow is no longer vulnerable. Flow updated Log4J to a patched version within 24 hours. No customer action is required.
- In addition, customers are responsible to ensure your private connectors do not contain a vulnerable version of Log4J.
- Unrelated to Log4J, should you wish to further enhance your security posture:
- Ensure you are running on Boomi's recommended Java version, Java 8u301 or Java 184.108.40.206.1. You can verify your version of java by running `java -version` on the host server.
- Ensure the default security properties are set. On AtomSphere Platform go to Atom Management → Properties → Advanced and ensure that "Security Compatibility" is set to "JVM_DEFINED". See JVM_DEFINED section.
- Boomi strongly recommends testing any changes in a non-production environment first.
Solace has released fixes and/or workarounds for all of the Solace products exposed to the Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046. Please refer to the table below for details. Only Solace products listed below were exposed to these vulnerabilities. Solace products not listed below and not used by Appronto customers are not exposed to these vulnerabilities.
- PubSub+ Cloud (Console): 2 micro-services that host PubSub+ Cloud consoles were running the impacted versions of Log4j. Fixed: All impacted services have been patched as of December 14, 2021 to pick up the latest Log4j version 2.16.0,
Agent version 7.32.3
When a JMX based integration is enabled, the Datadog Agent spawns a Java client (called JMXFetch) to communicate with monitored Java applications using the JMX Protocol. The JMXFetch client uses Log4j for standard logging, and as a client-only application, it does not expose any endpoints. Therefore, exploiting the Log4j vulnerability through JMXFetch would require the JVM application it monitors to be malicious.
Appronto, therefore, judges this vulnerability as low.
- Appronto has upgraded the Datadog agent to version 7.32.3 for all servers directly accessible and managed by Appronto.
- For customers for which Appronto cannot log in to servers directly, Appronto will contact the customer with instructions on how to update the agent.
Agent version 7.32.4
Datadog has removed all dependencies on log4j and use java.util.logging instead. Appronto recommends that all customers upgrade to this version or higher.
- The version of Log4j2 available in the Amazon Linux 2 default package repository, 1.2.17-16, is not affected by this issue with default configurations.