[CC] Apache Log4j2 Remote Code Execution

CTI SC Lv2Posted 29 Dec 2021 16:47

Last edited by CTI SC 29 Dec 2021 16:48.

Product warning background:
Vulnerability Overview
On 10 December 2021, Apache Log4j2 Remote Code Execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell was announced. This vulnerability exists in some previous versions of Sangfor Cyber Command. Attackers can exploit the vulnerability to run remote code execution and gain total access to the Cyber Command server.  Sangfor has released a patch for this vulnerability

No other Sangfor Products including IAG, NGAF, Endpoint Secure, HCI, VDI, SSLVPN, WANO and CM are affected at this time.

Versions and Fix
The scope of the vulnerability is for Sangfor Cyber Command versions before v3.0.50. Version 3.0.50 and newer will not be affected. The vulnerability mentioned above can be mitigated by upgrading Cyber Command to v.3.0.50 or v3.0.59.  For customers who have "Allow Automatic Updates" enabled, Cyber Command will have automatically installed the update if online. For customers who do not have automatic updates enabled, Cyber Command needs to be updated manually by installing this patch.

Attackers can use this vulnerability to execute arbitrary code on Cyber Command through RCE, potentially giving the attackers complete access to the server.

Vulnerability Introduction
The Apache log4j library used by Cyber Command allows for developers to log various data within their application. In certain circumstances, the data being logged originates from user input. Should this user input contain special characters and be logged using log4j, the Java method lookup will be called to execute the user-defined remote Java class in the LDAP server. This will in turn lead to RCE on Cyber Command.

Precautions & Measures
1. Upgrade Cyber Command to version 3.0.50 or later.
2. Enable automatic updates.
3. Please make sure that the Internet-facing console access permission of Cyber Command is turned off. If you need to perform remote operation and maintenance, you can use an SSL VPN or other methods to access the intranet first.
4. Set a whitelist restriction for the login IP address to Cyber Command, allowing access only to security operation and maintenance personnel.

Download the Current Version of Cyber Command
Download the following from the Sangfor Cyber Command Community Download page:https://community.sangfor.com/plugin.php?id=service:download&action=view&fid=92#/34/all

1. Upgrade file for Cyber Command version 3.0.49 and below
2. Latest patch file for Cyber Command
3. Full installation file for the latest version of Cyber Command
Source of vulnerabilityNational Vulnerability Database (NVD): CVE-2021-44228

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Newbie308427 Lv4Posted 19 Oct 2022 23:55
nice sharing
Faisal P Lv8Posted 17 Nov 2022 11:16
Thank you very much for the information ...
Faisal P Lv8Posted 17 Nov 2022 11:17
Nice article ...
Faisal P Lv8Posted 17 Nov 2022 11:20
Great info …
Faisal P Lv8Posted 17 Nov 2022 11:21
Very informative …
Faisal P Lv8Posted 17 Nov 2022 11:22
Nice guidance ...

Trending Topics

Board Leaders