[CVE-2021-44228] Apache Log4j2 RCE impact on UMM and FM

Summary

This article explains the impact and steps to mitigate the impact of [CVE-2021-44228] Apache Log4j2 RCE on Unleashed Multisite Manager (UMM) and Flex Master (FM)

Question

What is the affect of [CVE-2021-44228] Apache Log4j2 RCE on the UMM and FM?

Customer Environment

UMM Version 2.0 to 2.5. FM version 9.13.1 Not applicable for UMM version 2.6 and above.

Root Cause

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

Symptoms

For the UMM product, the impact is only on the versions 2.0 to 2.5. 
The UMM Versions 2.6 or above don't need the script since the vulnerability has been already fixed.
FM version 9.13.1 is affected and needs the script.

Resolution

For UMM Version 2.0 to 2.6 and FM version 9.13.1, apply the attached script log4jJndiFix.sh following the steps mentioned in the document "log4j script User Guide".

Attachment 1

User guide for Script.docx
application/vnd.openxmlformats-officedocument.wordprocessingml.document
Download
(133 KB)

Attachment 2

Script file
application/octet-stream;type=unknown
Download
(1.45 KB)

Article Number:
000012031

Updated:
January 05, 2022 06:17 AM (almost 3 years ago)

Answer Attachment 1
User guide for Script.docx
application/vnd.openxmlformats-officedocument.wordprocessingml.document
Download
(133 KB)

Answer Attachment 2
Script file
application/octet-stream;type=unknown
Download
(1.45 KB)

Tags:
Security, Known Issues and Workarounds, FlexMaster UMM

Votes:
0

This article is:
helpful
not helpful