Search
Appgate SDP
SDP Overview
Learn how Appgate SDP reduces risk and complexity, and why it's the industry's most comprehensive Zero Trust network access solution.
How Appgate SDP Works
Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.
SDP Integrations
Explore security, IT and business-system integrations that can enhance and help you adapt Appgate SDP to your existing workflows
SDP for Developers
Access developer tools and resources to maximize the value of your Appgate SDP deployment.
Zero Trust Network Access for:
Risk-Based Authentication
Overview
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Digital Threat Protection
Overview
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.
SECURE NETWORK ACCESS

Jason GarbisDecember 13, 2021

Appgate SDP Unaffected by Log4j Vulnerability

Share

Updated Dec 17 2021: Added information about increased CVSS score of log4j issue CVE-2021-45046

Updated Dec 14 2021: Added information about secondary log4j issue CVE-2021-45046

It was a long weekend for information security professionals, working to discover and remediate servers in their IT infrastructure which were vulnerable to the widely publicized and actively exploited security vulnerability in Apache Log4j. Thank you to all the incident responders and security teams who worked long and frenetic hours to secure your enterprises.

The Appgate SDP team likewise engaged immediately upon learning about this vulnerability, investigating and analyzing the use of Log4j within Appgate SDP.

Our engineering team has determined that Appgate SDP is not vulnerable to this Log4j issue. This is true for all supported versions of Appgate SDP.

Appgate SDP only uses Log4j in its LogServer function—specifically within the Elasticsearch and Kibana open source components. Elastic has confirmed that neither of these two are susceptible to the Log4j vulnerability. (Elastic did discover a minor related information disclosure via DNS issue in Elasticsearch documented in the link above. By following the two recommendations below, your Appgate SDP system will be protected from this minor vulnerability as well).

Please note that even though the LogServer is not vulnerable to this attack, our recommended deployment model, for maximum security, is that the LogServer appliance Admin UI should never be exposed to all sources on the internet. (see item 10 in the manual here). Following this guidance will ensure your LogServer is protected from denial-of-service and other attacks.

Out of an abundance of caution, we also recommend that customers disable the Log4j Message Lookup Substitution feature within the Appgate SDP LogServer appliance. Appgate SDP customers will receive an email from Support today, with instructions on how to apply this configuration change. For Appgate SDP-as-a-Service customers, we have already made this configuration change. Note that future releases of Appgate SDP will have the Log4j Message Lookup Substitution disabled by default.

Customers, please reach out to our support team with any questions or follow-up issues. Note that our official advisory on this vulnerability is available from the Appgate SDP Security Advisories page here.

Thank you, security professionals for your dedication to securing your enterprises. 2021 marks the biggest year on record for zero-day exploits, and remediating them can be relentless. We are focused on helping our customers mitigate their risk by adopting Zero Trust security architectures that enforce the principle of least privilege—reducing the attack surface by making all network resources and applications invisible unless a user is authorized and authenticated. This approach can significantly mitigate the effects of vulnerability exploitation and attacks. This Log4j vulnerability is a good example of why even exposing an application’s login screen to an unauthorized user represents a real and unnecessary risk.

Update Dec 14: A related (less critical) log4j vulnerability has been released – details here – which can result in a Denial-of-Service attack under certain circumstances. Out of an abundance of caution, we have updated the configuration change files for Appgate SDP, to include fixes for both of these vulnerabilities.

Update Dec 17:

Apache has upgraded the severity of the second CVE, CVE-2021-45046 from a CVSS of 3.7 to 9.0 (see the Apache Log4j security page here). However, Apache’s recommended mitigations remain valid and unchanged.

This increased CVE severity has no impact on Appgate SDP; the configuration and update recommendations in our Security Advisory remain valid and effective.

Receive News and Updates From Appgate