Ayfie Locator affected by Apache Log4J CVE-2021-44228

Date: 2021-12-10

CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Severity: Critical

Versions Affected: 3.0.0 to 3.3.1

Description: 

Locator releases 3.0.0 to 3.3.1 were using a bundled Solr that were using a version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Solr security page https://solr.apache.org/security.html . For mitigation see below.

Locator releases 3.0.0 to 3.3.1 were using a bundled ZooKeeper that were using log4J 1.2.17 which is not impacted as long as the JMS Appender is not used, which Locator didn’t use in the configuration for ZooKeeper, see https://issues.apache.org/jira/browse/ZOOKEEPER-4423. No mitigation required.

Locator releases prior to 2.11.903 were using a bundled Solr and ZooKeeper that were using log4j 1.2.17 which is not impacted as long as the JMS Appender is not used, which Locator didn’t use for neither for Solr or ZooKeeper, see Restrict LDAP access via JNDI by rgoers · Pull Request #608 · apache/logging-log4j2  and https://issues.apache.org/jira/browse/ZOOKEEPER-4423. No mitigation required.

 

It is also important to note that enterprise solutions on the intranet are only attackable by logged in users. Public facing solutions should take extra precaution.

For further information please contact us at by email at support-nordics@ayfie.com.

Mitigation: 

For Locator 3.x any of the following are enough to prevent this vulnerability for Locator servers:

  • Upgrade to Locator 3.4.0 or greater, which includes Solr 8.11.1 that has a fix.

For Locator 2.x, the general consensus is that Log4J 1.x, which Solr and ZooKeeper uses through all Locator 2.x versions, is not impacted as long as JMS appender is not used, which Locator don't use. No mitigation required.