Log4j : Versa Support

Considering the recent zero-day vulnerability reported in the Apache Log4j Java library, Versa Networks would like to provide the below information.

Products vulnerable to the above vulnerability:

Versa Director on 21.1.x or 21.2.x software version. All other versions are not vulnerable.

Versa Analytics on 21.1.x or 21.2.x software version. All other versions are not vulnerable.

Concerto on 10.1.x and 10.2.x software version.

VOS/Versa FlexVNF is not affected.

Software Fix is now available - Refer https://support.versa-networks.com/a/solutions/articles/23000023552

More information about the Zero Day vulnerability:

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

Severity: Critical

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Versions Affected: all versions from 2.0-beta9 to 2.14.1

Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Mitigation: In previous releases (>=2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

Versa Networks has provided mitigation scripts that will deploy the mitigations recommended by the Apache community.

The scripts and instruction can be downloaded from here: https://upload.versa-networks.com/index.php/s/EHgPvmFEzJMyzHp

However, it's strongly recommended that the Director/Analytics be upgraded to the software releases that have log4j fixes incorporated - links to these software images are provided in the KB below

https://support.versa-networks.com/a/solutions/articles/23000023552

Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.

References: https://issues.apache.org/jira/browse/LOG4J2-3201 and https://issues.apache.org/jira/browse/LOG4J2-3198

Log4j (CVE-2021-44228) - Introduction and the affected Versa products

Modified on: Mon, 24 Jan, 2022 at 6:00 PM

More articles in Log4j