Apache Log4j 2 Vulnerability (CVE-2021-44228) Information / [CVE-2021-45046 (Dec 14, 2021)]
Zebra Technologies is actively following the security vulnerability in the open-source Apache “Log4j 2" utility (CVE-2021-44228). We are currently assessing the potential impact of the vulnerability for Zebra products and solutions. This is an ongoing event, and we will continue to provide updates through our customer communications channels. Our support page will be updated to include relevant information as it becomes available.
Background: The Apache Log4j utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.14.1 or below to be compromised and allow an attacker to execute arbitrary code.
On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.
Description: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
What should I do to protect myself?
We strongly encourage customers to consult with their SW vendors and obtain patches and update as soon as possible for all impacted SW applications
For internally developed servers or applications we strongly encourage customers who manage environments containing Log4j 2 to update to version Log4j 2.15.0 or later per Apache's guidance https://logging.apache.org/log4j/2.x/
SUPPORT PAGES FOR IMPACTED PRODUCTS:
Affected Product | CVE-2021-44228 (Apache Log4j 2) | Date | CVE-2021-45046 | Date |
Visibility IQ (VIQF) | Limited exposure to this vulnerability; remediation complete | Remediated Dec 12th, 2021 |
Not affected | N/A |
SOTI MobiControl v 14.3 to 15.4.1 – Hosted Environments | Limited exposure to this vulnerability. Engineering is actively working to resolve | Remediated Dec 22nd, 2021 |
Limited exposure to this vulnerability. Engineering is actively working to resolve | Remediated Dec 22nd, 2021 |
PTT Pro Windows/Desktop (G1, G2) | Upon continued assessment of vulnerability the following Workforce Connect (WFC) products have been determined to not be impacted by this vulnerability | N/A | Upon continued assessment of vulnerability the following Workforce Connect (WFC) products have been determined to not be impacted by this vulnerability | N/A |
Zebra Enterprise Messaging | After investigation; using version not impacted by this vulnerability. | Remediated Dec 15, 2021 |
Not affected | N/A |
Fetch | Limited exposure to this vulnerability. Engineering mitigated issue | Remediated Dec 12th, 2021 |
Limited exposure to this vulnerability. Engineering is actively working to resolve | Upon continued assessment of the vulnerability, this product have been determined to not be impacted. |
Reflexis | Full exposure to this vulnerability; Engineering is actively working to resolve | Remediated Dec 29th, 2021 | Full exposure to this vulnerability; Engineering is actively working to resolve | Remediated Jan 7th, 2022 |
Visibility Server Software (ZLS) | After investigation; using version not impacted by this vulnerability. | Remediated Dec 14, 2021 |
After investigation; using version not impacted by this vulnerability. | N/A |
MotionWorks Enterprise (ZLS) | Remediated vulnerability by setting -Dlog4j2.formatMsgNoLookups=true when starting JVM | Remediated Dec 14, 2021 |
Low Risk - The components use log4j will only receive requests when the user is authenticated. They do not log arbitrary user inputs. | Remediated Dec 19, 2021 |
Zebra Profitect (ZPA) | Limited exposure to this vulnerability. Engineering as removed IntelliJ and Log4J to remediate | Remediated Dec 10th, 2021 |
Not affected | N/A |
Printer Profile Manager Enterprise (PPME) | Not impacted by this vulnerability. Version 3.2.7563 and later removes and/or updates files and components related to Log4j. Visit the support page. |
Updated Feb 8th, 2021 | Not impacted by this vulnerability. Version 3.2.7563 and later removes and/or updates files and components related to Log4j. Visit the support page. |
Updated Feb 8th, 2021 |
Disclaimer: Zebra makes every attempt to release security updates on or about the time that Google releases its respective security bulletin. However, delivery time of security updates may vary depending on the region, product model, and third party software suppliers. Under some circumstances, the OS must be updated to the latest maintenance release prior to installing the security updates. Individual product updates will provide specific guidance.
Unless otherwise noted, there have been no reports of active customer exploitation or abuse from these newly reported issues.
Are you aware of a potential security issue with a Zebra Technologies product?