Updated Dec 17 2021: Added information about increased CVSS score of log4j issue CVE-2021-45046
Updated Dec 14 2021: Added information about secondary log4j issue CVE-2021-45046
It was a long weekend for information security professionals, working to discover and remediate servers in their IT infrastructure which were vulnerable to the widely publicized and actively exploited security vulnerability in Apache Log4j. Thank you to all the incident responders and security teams who worked long and frenetic hours to secure your enterprises.
The Appgate SDP team likewise engaged immediately upon learning about this vulnerability, investigating and analyzing the use of Log4j within Appgate SDP.
Our engineering team has determined that Appgate SDP is not vulnerable to this Log4j issue. This is true for all supported versions of Appgate SDP.
Appgate SDP only uses Log4j in its LogServer function—specifically within the Elasticsearch and Kibana open source components. Elastic has confirmed that neither of these two are susceptible to the Log4j vulnerability. (Elastic did discover a minor related information disclosure via DNS issue in Elasticsearch documented in the link above. By following the two recommendations below, your Appgate SDP system will be protected from this minor vulnerability as well).
Please note that even though the LogServer is not vulnerable to this attack, our recommended deployment model, for maximum security, is that the LogServer appliance Admin UI should never be exposed to all sources on the internet. (see item 10 in the manual here). Following this guidance will ensure your LogServer is protected from denial-of-service and other attacks.
Out of an abundance of caution, we also recommend that customers disable the Log4j Message Lookup Substitution feature within the Appgate SDP LogServer appliance. Appgate SDP customers will receive an email from Support today, with instructions on how to apply this configuration change. For Appgate SDP-as-a-Service customers, we have already made this configuration change. Note that future releases of Appgate SDP will have the Log4j Message Lookup Substitution disabled by default.
Customers, please reach out to our support team with any questions or follow-up issues. Note that our official advisory on this vulnerability is available from the Appgate SDP Security Advisories page here.
Thank you, security professionals for your dedication to securing your enterprises. 2021 marks the biggest year on record for zero-day exploits, and remediating them can be relentless. We are focused on helping our customers mitigate their risk by adopting Zero Trust security architectures that enforce the principle of least privilege—reducing the attack surface by making all network resources and applications invisible unless a user is authorized and authenticated. This approach can significantly mitigate the effects of vulnerability exploitation and attacks. This Log4j vulnerability is a good example of why even exposing an application’s login screen to an unauthorized user represents a real and unnecessary risk.
Update Dec 14: A related (less critical) log4j vulnerability has been released – details here – which can result in a Denial-of-Service attack under certain circumstances. Out of an abundance of caution, we have updated the configuration change files for Appgate SDP, to include fixes for both of these vulnerabilities.
Update Dec 17:
Apache has upgraded the severity of the second CVE, CVE-2021-45046 from a CVSS of 3.7 to 9.0 (see the Apache Log4j security page here). However, Apache’s recommended mitigations remain valid and unchanged.
This increased CVE severity has no impact on Appgate SDP; the configuration and update recommendations in our Security Advisory remain valid and effective.