Boomi and Solace vulnerability for Apache Log4j2 Issue (CVE-2021-44228)
Modified on: Fri, 31 Dec, 2021 at 11:36 AM
If you need additional details or assistance, don't hesitate to get in touch with Appronto Support,
On December 12 2021, the National Cyber Security Centre of the Netherlands has issued a national warning concerning the use of Log4J within applications. Appronto is aware of the recently disclosed security issue relating to the open-source Apache "Log4j2" utility. We are actively monitoring this issue and have contacted our suppliers.
- MITRE has labelled the vulnerability as CVE-2021-44228 and assigned it the highest CVSS score (10.0).
- This vulnerability can give an attacker full control of any impacted system.
- In addition, the Apache Foundation has disclosed two other vulnerabilities (CVE-2021-45046 and CVE-2021-45105) that could allow a denial of service attack against the impacted system.
All Boomi, Solace and Datadog systems of Appronto customers are safe. Appronto has updated all software components when applicable. The current status:
- The appronto.cloud hosting platform is not exposed
- Boomi is not exposed
- The Solace Pubsub+ message broker software is not exposed
- The Solace Pubsub+ Cloud console is not exposed
- The Appronto Datadog monitoring solution is not exposed
- We recommend that customers who host Boomi themselves
- Check the Boomi servers for vulnerabilities
- Upgrade the Boomi JRE to a recent version of Java 8 or Java 11. Appronto is happy to help customers with this upgrade.
- Furthermore, we highly recommend you check your entire infrastructure on possible vulnerabilities by using Log4J. Click here for scripts so customers if you want to check your own systems: Northwave Security, Powershell Checker en Log4shell detector.
** Details **
- AtomSphere Platform is not vulnerable. No customer action is required.
- AtomSphere Public Cloud Atom and MDH are not vulnerable. No customer action is required.
- AtomSphere Local Atoms and APIM are not vulnerable. No customer action is required.
- Boomi Flow is no longer vulnerable. Flow updated Log4J to a patched version within 24 hours. No customer action is required.
- In addition, customers are responsible to ensure your private connectors do not contain a vulnerable version of Log4J.
- Unrelated to Log4J, should you wish to further enhance your security posture:
- Ensure you are running on Boomi's recommended Java version, Java 8u301 or Java 18.104.22.168.1. You can verify your version of java by running `java -version` on the host server.
- Ensure the default security properties are set. On AtomSphere Platform go to Atom Management → Properties → Advanced and ensure that "Security Compatibility" is set to "JVM_DEFINED". See JVM_DEFINED section.
- Boomi strongly recommends testing any changes in a non-production environment first.
Solace has released fixes and/or workarounds for all of the Solace products exposed to the Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046. Please refer to the table below for details. Only Solace products listed below were exposed to these vulnerabilities. Solace products not listed below and not used by Appronto customers are not exposed to these vulnerabilities.
- PubSub+ Cloud (Console): 2 micro-services that host PubSub+ Cloud consoles were running the impacted versions of Log4j. Fixed: All impacted services have been patched as of December 14, 2021 to pick up the latest Log4j version 2.16.0,
Appronto identified that the JMX monitoring component of our Agent software also leverages an impacted version of log4j. Datadog has released a new version of the agent (7.32.3), which prevents the vulnerability from being exploited. As of version 7.32.4, Datadog has removed all dependencies on log4j and use java.util.logging instead.
Agent version 7.32.3
When a JMX based integration is enabled, the Datadog Agent spawns a Java client (called JMXFetch) to communicate with monitored Java applications using the JMX Protocol. The JMXFetch client uses Log4j for standard logging, and as a client-only application, it does not expose any endpoints. Therefore, exploiting the Log4j vulnerability through JMXFetch would require the JVM application it monitors to be malicious.
Appronto, therefore, judges this vulnerability as low.
- Appronto has upgraded the Datadog agent to version 7.32.3 for all servers directly accessible and managed by Appronto.
- For customers for which Appronto cannot log in to servers directly, Appronto will contact the customer with instructions on how to update the agent.
Agent version 7.32.4
Datadog has removed all dependencies on log4j and use java.util.logging instead. Appronto recommends that all customers upgrade to this version or higher.
Appronto uses Amazon AWS EC2 Linux 2 as its hosting platform. AWS
- The version of Log4j2 available in the Amazon Linux 2 default package repository, 1.2.17-16, is not affected by this issue with default configurations.
Did you find it helpful?
Sorry we couldn't be helpful. Help us improve this article with your feedback.