cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ADTSA-2021004: Log4j JNDI remote code execution (Log4Shell)

ADTSA-2021004: Log4j JNDI remote code execution (Log4Shell)

Description


Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.


CVE IDs



Affected Products


Product Family Affected Versions Severity Notes
ACI-E All prior to 7.0.15-220patch01 Medium The utilized Log4j and Java are configured such that the vulnerability cannot be exploited via manipulated external libraries. CVE-2021-4104 does not apply.
g.Fast PMAA All prior to 1.6.16 Medium The utilized Log4j and Java are configured such that the vulnerability cannot be exploited via manipulated external libraries. CVE-2021-4104 does not apply.
Mosaic Cloud Platform All prior to 21.5 Medium The utilized Log4j and Java are configured such that the vulnerability cannot be exploited via manipulated external libraries. CVE-2021-4104 does not apply.
Mosaic Device Manager N/A Medium The utilized Log4j and Java are configured such that the vulnerability cannot be exploited via manipulated external libraries. CVE-2021-4104 does not apply.
Mosaic Home Analytics N/A Medium The utilized Log4j and Java are configured such that the vulnerability cannot be exploited via manipulated external libraries. CVE-2021-4104 does not apply.
Plume Cloud N/A Medium The system architecture mitigates most exploit paths. Only CVE-2021-44228 applies.

Unaffected Products


Product Family Products
ADTRAN OS IP Business Gateways, Routers, & Switches
  • NetVanta 1200 Series
  • NetVanta 1530 Series
  • NetVanta 1540 Series
  • NetVanta 1550 Series
  • NetVanta 1600 Series
  • NetVanta 3000 Series
  • NetVanta 4000 Series
  • NetVanta 5000 Series
  • NetVanta 6000 Series
  • Total Access 900/900e Series
ADTRAN Switch Engine Switches
  • NetVanta 1560 Series
AOE All products
Bluesocket Access Points All products
Bluesocket vWLAN All products
Carrier Ethernet NIDs
  • NetVanta 800 Series
  • NetVanta 8000 Series
EliteCloud Managed Wi-Fi All products
EPON OLTs
  • 9500 Series
  • FSU 7000 Series
  • SDX 6210-4
EPON ONUs
  • 1004
  • 6304W
  • 8001A
  • 8001B
  • FSU Series
Ethernet Service Delivery Gateways & Mesh APs (PlumeOS)
  • SDG 834-5
  • SDG 831-t5
Ethernet Service Delivery Gateways & Mesh APs (SmartOS)
  • SDG 831-t5
  • SDG 834-5
  • SDG 841-t6
  • SDG 854-6
g.Fast DPUs All products
GPON, XGS-PON, & Active Ethernet ONUs
  • 300 Series (all generations)
  • 400 Series
  • SDX 600 Series
GPON & XGS-PON Service Delivery Gateways
  • SDG 814-v6
  • SDG 825-v6
  • SDX 822v
hiX All products
Mosaic Cloud Platform Plugins All products
n-Command MSP All products
OPTI Series All products
SDX 6000 Series OLTs All products
SDX 8000 Series Aggregation Switches All products
SmartRG Ethernet Residential Gateways & Mesh APs
  • SE80ac
  • SR400ac
  • SR905ac
  • SR905acv
SmartRG VDSL2 Residential Gateways
  • SR506n
  • SR516ac
  • SR555ac
Total Access 1100 & 1200 Series All products
Total Access 5000 All products
Virtual EPON Controller All products

Mitigating Factors & Recommended Mitigations


Product Family Mitigating Factors Recommended Mitigations
ACI-E N/A N/A
g.Fast PMAA N/A N/A
Mosaic Cloud Platform N/A N/A
Mosaic Device Manager N/A N/A
Mosaic Home Analytics N/A N/A
Plume Cloud N/A N/A

Resolution


Product Family Resolution
ACI-E ACI-E 7.0.15-220patch01 has been released and removes the JndiLookup class. A release will be provided at the end of January that will include Log4j version 2.17.0 or later.
g.Fast PMAA PMAA version 1.6.16 removes the JndiLookup class to fully mitigate the vulnerabilities.
Mosaic Cloud Platform Release 21.5 containing Log4j version 2.17.0 has been released to eliminate any remaining risks. Patch release 21.4 Patch 1 has been released and removes the JndiLookup class. Patch releases 21.2 Patch 4 and 21.3 Patch 1 that remove the JndiLookup class will also be provided.
Mosaic Device Manager No customer action is required. As a SaaS product, ADTRAN is applying all necessary patches to resolve the vulnerabilities.
Mosaic Home Analytics No customer action is required. As a SaaS product, ADTRAN has applied all necessary patches to resolve the vulnerabilities.
Plume Cloud No customer action is required. Patching was was completed on December 12, 2021.

Revision History


Revision Date Changes
M 2022-04-06 Added the SDX 6210-4 as unaffected.
L 2022-04-01 Investigations complete.
K 2022-01-30 Added Plume Cloud.
J 2022-01-19 Added Mosaic Device Manager and Mosaic Home Analytics. Updated the resolution for ACI-E and Mosaic Cloud Platform to reflect the availability of unaffected versions and patches.
I 2022-01-13 Added ADTRAN Switch Engine switches, NetVanta 8000 series CE NIDs, FSU 7000 series EPON OLTs, and FSU series EPON ONUs as unaffected products. Updated the resolutions for g.Fast PMAA and Mosaic Cloud Platform.
H 2021-12-22 Added Bluesocket APs, Bluesocket vWLAN, and EliteCloud Managed Wi-Fi as unaffected products.
G 2021-12-21 Added CVE-2021-45105, additional products, and updated the severity for g.Fast PMAA and Mosaic Cloud Platform to more accurately match CVSS scoring calculations.
F 2021-12-17 Added the SDX 6000 Series OLTs and all 300 Series GPON/Active Ethernet ONUs as unaffected.
E 2021-12-17 Added additional products.
D 2021-12-15 Added additional unaffected products and CVE numbers. Updated the description with the latest information.
C 2021-12-15 Added g.Fast DPUs and hiX as unaffected products.
B 2021-12-14 Added unaffected products.
A 2021-12-13 Initial release.
Version history
Revision #:
16 of 16
Last update:
‎04-06-2022 07:28 PM
Updated by:
 
Contributors