CVE-2021-44228
Description / Impact
The threat, also called Log4Shell or LogJam, is a remote code execution (RCE) class vulnerability. If an attacker succeeds in exploiting it on a vulnerable server, they gain the ability to execute arbitrary code and potentially take full control of the system.
You can find a more detailed description of the issue at: https://www.lunasec.io/docs/blog/log4j-zero-day/
Product Versions
This analysis covers two different products: Alison-Desktop and DigiCert Desktop Client. We have evaluated the latest most distributed versions of both products.
CVE-2021-44228 Vulnerability
AD and DDC use log4j version 1.x. This version is still very widespread, perhaps several times more than version 2.x.
log4j 1.x does not offer a JNDI lookup mechanism at the message level, and is not affected by CVE-2021-44228.
Another Related Vulnerability
- CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2021-4104
We conducted additional analysis on this branch and confirmed a new but similar vulnerability that can only be exploited by a trusted party. That vulnerability, related to JMSAppender, should require some special conditions to be exploited in any application. Specifically, any product using Log4j 1.x is only affected if all the following non-default configurations are in place:
- The JMS Appender is configured in the application's Log4j configuration
- The javax.jms API is included in the application's CLASSPATH
- JMS Appender has been configured with a JNDI lookup for a third party. Note: this can only be done by a trusted user modifying the application configuration, or trusted code that sets a property at runtime.
AD and DDC do not use a Log4j configuration file from an external application to be modified by a poisoning external application, and the default configuration does not enable JMSAppender.
Recommended Action
Earlier versions or Release Candidate versions of DigiCert Desktop Client (DDC) and Alison Desktop (AD) could include the log4j package in their distribution, but thanks to the Java virtual machine version integrated in the mentioned products and its configuration, exploitation of this vulnerability cannot be achieved. Nevertheless, and in case of any doubt, we recommend updating to the latest versions of DigiCert Desktop Client and Alison Desktop in any branch that is using them.
You can contact CertiSur support using our standard methods:
Correo electrónico: support@certisur.com
Phone: https://www.certisur.com/contactanos/
© Copyright 2021 CertiSur S.A. All rights reserved.
CertiSur is a brand or registered trademark of CertiSur S.A. in Argentina and certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries.
Given the very nature of security vulnerabilities, security bulletins are intended to be restricted to a small group of individuals. Security bulletins should be distributed within your company only, and only when necessary.
The information is provided "as is" by CertiSur without any representation, condition and/or warranty of any kind, whether express, implied, statutory, by commercial use or otherwise. CertiSur specifically disclaims all and each of the representations, conditions and/or warranties of merchantability, satisfactory quality and/or fitness for a particular purpose. To the maximum extent permitted by applicable law, in no event shall CertiSur be responsible for any damage, loss or cost arising from the actions or omissions of you or third parties in connection with this bulletin. The only representations, conditions and/or warranties that may be applicable to any CertiSur product you may have are those contained in the agreement under which you obtained a license for those products from CertiSur.