RVY200748: Apache Log4j CVE-2021-44228 vulnerability

As a response to security concerns about the recently published hi-severity vulnerability CVE-2021-44228, which affects various Java-based products using a logging package log4j, by enabling an attack called “remote code execution”:

 

RayVentory Data Hub

RayVentory Data Hub may be vulnerable, depending on the version being used.

  • Versions 12.2.3034.239 and newer are not affected by this issue. These versions do not use or bundle the log4j library.
  • Versions prior to version 12.2.3034.239 contained java-based SaaS connectors, which were using log4j to perform logging by Data Hub Agent. In a rare combination of specific factors, this could make the product vulnerable. The server component does not contain log4j library.

 

RayVentory Scan Engine

RayVentory Scan Engine may be vulnerable, depending on the version being used.

  • Versions 12.3.3429.24 (Update 2) and newer are not affected by the aforementioned security vulnerability. Starting from this version, the log4j library has been removed from all components.
  • Versions prior to 12.3.3429.24 contained a java-based component oratrack used for scanning of OracleDB (Zero-Touch and/or Remote execution). This component contained a vulnerable version of log4j, which at the time of the announcements was considered not directly affected by the aforementioned security vulnerability CVE-2021-44228.
    • Our product used version 1.2.17 / 1.2.8 which is not listed as a vulnerable component. The critical issue exists only in version 2.0 up to 2.15 (excluding).
    • For the record, the version we used had similar potential vulnerabilities CVE-2019-17571, CVE-2021-4104 but the way the component is used in the product makes it unexposed to the security risk.
    • For customer not requiring OracleDB scanning functionality and using RayVentory Scan Engine prior to update 12.3.3429.24 (Update 02), the component may be removed or replaced with a dummy file, thus closing the security risk.

 

RaySAMi

All versions can be affected by the specified vulnerability. Raynet has already issued a quick remediation (RVY200751). More details can be found in the respective Knowledge Base Article.

As of 2021-12-17, the previously published official workaround is not anymore sufficient. See Updates section for more information.

 

Other products

The following products do not contain log4j library in any version. Therefore, they are not affected by the vulnerability and any other vulnerability present in log4j library. 

  • RayVentory Server
  • RayManageSoft Unifed Endpoint Manager
  • RayVentory Catalog
  • RayManageSoft Unified Endpoint Manager
  • RayFlow (Server, Client, PowerShell API)
  • RayPack Studio (RayPack, RayEval, RayQC, RayQC Advanced, PackLayering, Hyper-V Tools)
  • RayPackage
  • Floating License Server
  • RayManageSoft infinity
  • RaySuite Appliance

Updates

Related content:

 

Comments

Powered by Zendesk