RVY200748: Apache Log4j CVE-2021-44228 vulnerability

As a response to security concerns about the recently published hi-severity vulnerability CVE-2021-44228, which affects various Java-based products using a logging package log4j, by enabling an attack called “remote code execution”:

RayVentory Data Hub

RayVentory Data Hub may be vulnerable, depending on the version being used.

• Versions 12.2.3034.239 and newer are not affected by this issue. These versions do not use or bundle the log4j library.
• Versions prior to version 12.2.3034.239 contained java-based SaaS connectors, which were using log4j to perform logging by Data Hub Agent. In a rare combination of specific factors, this could make the product vulnerable. The server component does not contain log4j library.
  • A dedicated statement, possible workaround and all relevant information are available on a dedicated page RVY200754: Hotfix for critical security vulnerability CVE-2021-44228 in log4j library in RayVentory Data Hub Agent.

RayVentory Scan Engine

RayVentory Scan Engine may be vulnerable, depending on the version being used.

• Versions 12.3.3429.24 (Update 2) and newer are not affected by the aforementioned security vulnerability. Starting from this version, the log4j library has been removed from all components.
• Versions prior to 12.3.3429.24 contained a java-based component oratrack used for scanning of OracleDB (Zero-Touch and/or Remote execution). This component contained a vulnerable version of log4j, which at the time of the announcements was considered not directly affected by the aforementioned security vulnerability CVE-2021-44228.
  • Our product used version 1.2.17 / 1.2.8 which is not listed as a vulnerable component. The critical issue exists only in version 2.0 up to 2.15 (excluding).
  • For the record, the version we used had similar potential vulnerabilities CVE-2019-17571, CVE-2021-4104 but the way the component is used in the product makes it unexposed to the security risk.
  • For customer not requiring OracleDB scanning functionality and using RayVentory Scan Engine prior to update 12.3.3429.24 (Update 02), the component may be removed or replaced with a dummy file, thus closing the security risk.

RaySAMi

All versions can be affected by the specified vulnerability. Raynet has already issued a quick remediation (RVY200751). More details can be found in the respective Knowledge Base Article.

As of 2021-12-17, the previously published official workaround is not anymore sufficient. See Updates section for more information.

Other products

The following products do not contain log4j library in any version. Therefore, they are not affected by the vulnerability and any other vulnerability present in log4j library. 

• RayVentory Server
• RayManageSoft Unifed Endpoint Manager
• RayVentory Catalog
• RayManageSoft Unified Endpoint Manager
• RayFlow (Server, Client, PowerShell API)
• RayPack Studio (RayPack, RayEval, RayQC, RayQC Advanced, PackLayering, Hyper-V Tools)
• RayPackage
• Floating License Server
• RayManageSoft infinity
• RaySuite Appliance

Updates

• 2022-06-02: As of version RVSE 12.3.3429.24 [Update 2], Oratrack component belonging to RayVentory Scan Engine does not contain log4j library and is therefore not vulnerable to this vulnerability and any other vulnerabilities affecting log4j code. The article has been reformatted to make it more clear about which products and versions are vulnerable and which are not.
• 2022-04-22: Updated information about lack of vulnerability in RayVentory Data Hub 12.3. Updated and clarified section RayVentory Scan Engine.
• 2021-12-17: The remediation described in Knowledge Base articles RVY200747: Hotfix: RR-2645-2696 Fixed critical security vulnerability [CVE-2021-44228] in logging library log4j and RVY200751: Remediation of log4j vulnerability [CVE-2021-44228] in product RaySAMi has been evaluated as discredited. Apache no longer recommends this previously suggested quick fix. Raynet is working on a solution to completely remove log4j from its products to eliminate CVE-2021-44228.
• 2021-12-21: The article RVY200751: Remediation of log4j vulnerability [CVE-2021-44228] in product RaySAMi has been extended with manual workaround for a temporary remediation. We recommend an immediate action until a final patch is available.
• 2021-12-23: A new hotfix for security vulnerability CVE-44228 has been published for RayVentory Data Hub Agent.

Related content:

• RVY200751: Remediation of log4j vulnerability [CVE-2021-44228] in product RaySAMi
• RVY200754: Hotfix for critical security vulnerability CVE-2021-44228 in log4j library in RayVentory Data Hub Agent