Apache Log4j vulnerability variant [CVE-2021-44228]

Question

This is probably a no brainer, but is the Solarwinds Orion 2020.2.6 HF1 version impacted at all by the new log4j vulnerability variant? My guess is probably not, being that it needs JAVA to manifest itself, and I don't believe Solarwinds Orion utilizes any JAVA components with the latest software versions. But my management wanted me to check with you folks. So please advise and confirm? Thank you!

jeff.stewart · Accepted Answer

Latest information can be found here;

SolarWinds Trust Center Security Advisories | CVE-2021-44228 
 
 Jeff

pgaryga · Answer

The instructions here worked for me, Tenable scan was happy after.
https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US

KMSigma.SWI · Answer

If you are running Server Configuration Monitor (SCM) , I've built a SCM Profile to check for this using PowerShell. 
 
 I've only got a handful of servers where I can test it and (at present) it doesn't do a check for the versions - you still need to do that part by hand.

jeff.stewart · Answer

We do. You can add a security contact DL within the customer portal where we notify customers via email. https://thwack.solarwinds.com/resources/b/product-blog/posts/defining-a-named-security-contact-for-your-organization 
 We also have an RSS feed.

terryk · Answer

Yes the new SAM 2020.2.6 HF3 contains a fix for Log4J issue. 
 Details can be found at this LINK 
 OVERVIEW 
 
 SAM 2020.2.6 Hotfix 3 includes the following updates:
 
 Apache Log4j libraries were updated to resolve vulnerabilities described in CVE-2021-44228 and CVE-2021-45046 . This hotfix includes Log4j 2.16.0. You may notice that 2.14.0 files remain in the < Installation directory >\SolarWinds\Orion\APM\jmxbridge\lib directory, but they are empty files that should not cause false-positives in security scans.

Apache Log4j vulnerability variant [CVE-2021-44228]

Top Replies