Originally posted on December 16, 2021
It was recently announced by the Apache Foundation that Log4j, a popular Java logging library, is vulnerable to remote code execution (RCE). The vulnerability has been labeled by MITRE as CVE-2021-44228 and given the highest CVSS score (10.0).
Immediately following the announcement on December 10, 2021, Code42 security and engineering teams began working to evaluate all products and internal services for potential impact. Described below are several updates Code42 has made to mitigate against CVE-2021-44228, in addition to other recent bug and security enhancements.
If you have enabled delayed client updates, we recommend reviewing and adjusting your settings to allow all clients to update immediately. For administrators who did not configure a delay, your devices have already upgraded automatically. Read on for further information regarding Code42’s latest updates.
Mitigation for CVE-2021-44228 (Log4j)
Code42 App Version 8.8.1 Update
On December 14, 2021 Code42 app version 8.8.1 was released, mitigating CVE-2021-44228 along with other bug and security enhancements.
Since the patched version of Log4j (2.15) was released, there has been a new version of log4j that remediates additional vulnerabilities. We have assessed this new version and determined it does not remediate vulnerabilities for our environment and therefore, we will not be doing an emergency patch to apply 2.16. Version 2.15 addresses the critical vulnerability. The 2.16 version addresses a very specific edge case related to a logging configuration that we do not use in our product. As always, we will be monitoring for updated versions and apply those versions as necessary.
Code42 Cloud Update
On Wednesday, December 15, 2021, Code42 released updates to its cloud infrastructure to remediate CVE-2021-44228. This release also includes features, enhancements and other minor updates and bug fixes. For full details, view the release notes.
For additional details regarding CVE-2021-44228: https://logging.apache.org/log4j/2.x/security.html
Additional details regarding Code42’s response to CVE-2021-44228 can be found here:
As this is a rapidly evolving situation, we will continue to provide updates describing the steps being taken to mitigate against this threat.
Other Code42 Updates and Improvements
Code42 App Version 8.8.1
As mentioned in an update to our Code42 app version 8.8.0 release, this patch release is a replacement for Code42 app version 8.8.0. Code42 app version 8.8.1 corrects a vulnerability that enables a potential escalation of privileges. This vulnerability is not yet publicly disclosed and has the reserved number CVE-2021-43269.
You may also mitigate this security vulnerability manually, by following the instructions in this support article to lock your proxy settings: https://code42.com/r/support/email-lock-proxy-settings
Code42 will publish full details of CVE-2021-43269 in approximately 30 days. To receive the CVE details as soon as they are available, please update your email preferences.
Unrelated to updates made in relation to CVE-2021-44228, in pursuit of enhancing security and scalability for Incydr customers, we are advancing our infrastructure strategy through a new AWS storage fabric.
Code42 Incydr customers will see a new destination added to their endpoints as we move to this new technology. This new data storage fabric will better position our customers to tackle the growing Insider Risk problem both now and in the future, at scale.
For additional information regarding these releases or Code42’s response to Log4j, please reach out to Code42 customer champions.