SteelConnect EX: Impact and Mitigation options for Apache's Log4j Exploit (CVE-2021-44228 and CVE-2021-45046)

On Dec 9, a remote code execution vulnerability in Apache log4j was announced.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228 
https://www.lunasec.io/docs/blog/log4j-zero-day/ 

SteelConnect EX versions 21.2.1 and 21.2.2 are both affected by this vulnerabilities.

Since that time, additional vulnerabilities have been identified:
CVE-2021-44228 - Vulnerability in Apache Log4j library "Log4Shell"
CVE-2021-45046 - Apache Log4j 2.15.0 was incomplete in certain non-default configurations
CVE-2021-4104 - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
CVE-2021-45105 - Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups.

An additional later vulnerability was reported at the end of December. Review of the code shows that SteelConnect EX is NOT VULNERABLE to this CVE, once the binaries provided on December 28 are deployed. 
CVE-2021-44832 - Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack

Information on the affect of this issue on other Riverbed products is available at https://supportkb.riverbed.com/support/index?page=content&id=S35645. 

Log4j2 is used in SteelConnect EX products and versions as follows:

• Director on 21.1.x or 21.2.x software version. All other versions are not vulnerable.
• Analytics on 21.1.x or 21.2.x software version. All other versions are not vulnerable.
• FlexVNF is not affected.

As of December 28, new build product binaries which cover the first four CVE's were made available for versions 21.1.1, 21.2.1, and 21.2.2, which includes Log4j v2.17. Review of code shows that SteelConnect EX is NOT VULNERABLE to CVE-2021-44832. 

To ensure the proper code is installed, please download the appropriate .bin file and apply to your existing systems. If you install using the other methods (.iso, .ova, .tbz2), you must download and install the new .bin file in order to get the new version of Log4j.

Links to the .bin files are listed below:

SteelConnect-EX Analytics

21.2.2 https://support.riverbed.com/bin/support/download?sid=u43k3cp4ek0euosmtn08geg0mf

21.2.2 (Ubuntu) https://support.riverbed.com/bin/support/download?sid=jvlvit67m93oq03vdkpmq19ho5

 

21.2.1 https://support.riverbed.com/bin/support/download?sid=j0dh60nalah6pahq71j5q9dtcn

21.2.1 (Ubuntu) https://support.riverbed.com/bin/support/download?sid=38ulvcbqfn3k9hhfhi18qvdjb7

 

21.1.1 https://support.riverbed.com/bin/support/download?sid=sg2vakog4tksvkduo7124qanru

 

 

SteelConnect-EX Director

21.2.2 https://support.riverbed.com/bin/support/download?sid=hlu676lfd2blq00a45fiankfb6

21.2.2 (Ubuntu) https://support.riverbed.com/bin/support/download?sid=k88t3mg4q4b708s17c475mpisi

 

21.2.1 https://support.riverbed.com/bin/support/download?sid=glmrd53m0o4rqkpqmcmqtpcf2g

21.2.2 (Ubuntu) https://support.riverbed.com/bin/support/download?sid=i07dl96ltvph8gu6m8l6msa61v

 

21.1.1 https://support.riverbed.com/bin/support/download?sid=202ikmq61q1enggqe8paohidr8

Previously a patch for CVE-2021-44228 only was made available on the Support site on Dec 15 2021 at the following links:

• SteelConnect-EX Director: https://support.riverbed.com/bin/support/download?sid=baif038jg8e1h17g6m4q6hr5co 
• SteelConnect-EX Analytics: https://support.riverbed.com/bin/support/download?sid=6rkncp5efe2p235hbnv5e48i6s 

If you have applied this patch already, Riverbed recommends you proceed to update the entire installation with the newly available build.

SteelConnect EX
CVE-2021-44228
Log4j Vulnerability