Zero day exploits and vulnerability in log4j 2.x

This entry covers the three log4j vulnerabilities with the CVE-ID of CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 & the logback vulnerability with the CVE-ID of CVE-2021-42550 respectively.

Reference Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42550


Description:
[CVE-2021-44228, log4j] - A Zero-day exploit
JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

[CVE-2021-45046, log4j]
The fix to address CVE-2021-44228 was incomplete in certain non-default configurations which could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Patter layout with either a Context Lookup or a Thread Context Map pattern resulting in a Denial of Service (DoS).

[CVE-2021-45105, log4j]
Apache log4j2 versions 2.0-alpha1 through 2.16.0 (excl. 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted

[CVE-2021-42550, logback]
Injection vulnerability; an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.


Elixir products not affected by the above log4j2.x vulnerability:

Unaffected Versions
Elixir Ambience 2021.1 and below
Elixir Ambience 4.x (all versions)
Elixir Repertoire 8.8 and below

Elixir products affected and their respective upgrade replacements:

Affected Release Date Upgrade Version Release Date
Elixir Ambience 2021.2 1-Dec-21 Elixir Ambience 2021.2c 21-Dec-21
Elixir Repertoire 8.9.0 1-Aug-21 Elixir Repertoire 8.9.5 20-Dec-21
Elixir Repertoire 8.9.1 1-Nov-21 Elixir Repertoire 8.9.5 20-Dec-21

For more details regarding the specific products above, do visit the links below:

Elixir Repertoire 8.x
Elixir Ambience 4.x
Elixir Ambience 202x


Do contact sales@elixirtech.com if your project is using the affected versions to download the above updated product builds to address the above zero day exploit and vulnerability.

Additional information on Apache Log4j Security Vulnerabilities can be found here:
https://logging.apache.org/log4j/2.x/security.html