| Third-party Component |
CVE ID |
Summary of Vulnerability |
Reason why Product is not Vulnerable |
Date Determined False Positive |
| JMSAppender |
CVE-2021-4104 |
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. |
Describe the steps to address the issue.
- Log4j.xml is the configuration file which has appender details. This file has write permission for C4 user only, and other users have read permission. C4 user is not used for login through SSH. For accessing and editing this file attacker must have the password for C4 user which is difficult to get.
- This Vulnerability is related to JMS Appender, JMS Appender are used to send the formatted log event to a JMS Destination.
- eNAS does not have JMS configured and consumed in code.
Hence, we concluded that we are not vulnerable for this CVE. |
1/4/2022 |
| SocketServer |
CVE-2019-17571 |
In Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely run arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. |
- SocketServer class requires configuration to be done for setting up socket between the servers. This setup and configurations do not come configured by default for Log4j bundle.
- For eNAS product, we do not configure, setup and consume SocketServer class.
Hence, we concluded that we are not vulnerable for this CVE. |
1/4/2022 |
| SMTP Appender |
CVE-2020-9488 |
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages that are sent through that appender. |
- Code does not consume the SMTPAppender class.
- We removed this class from the Log4j jar files and checked the UI.
- We also see that SMTP requires configuration which by default is not enable.
- This CVE has low score and impact.
- For attacker to extract the details, they have to be Man-In-Middle (which requires the access to root), to acquire access to root is not easy for eNAS product.
|
2/17/2022 |
| JMSSink |
CVE-2022-23302 |
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. |
- JMSSink is a simple application that consumes logging events that are sent by a JMSAppender.
- In eNAS, we do not consume JMSAppender for logging.
- This flaw only affects applications which are specifically configured to use JMSSink, which is not the default in eNAS.
- For eNAS the Log4j conf file has write permission only for root user. As in both the products, the Log4j config file is not having world write permission. It is difficult for attacker to modify this file.
- We have also evaluated the code and found that JMSSink appender is not consumed in the code.
- However, to further be sure, we removed this class from our jar file and validated the UI and logging functionality. We could not observe any visible effect post class removal.
|
2/17/2022 |
| JDBCAppender |
CVE-2022-23305 |
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be run. |
- The JDBCAppender is used for sending log events to a database.
- By default the log4j.xml file does not have JDBC configured. For using the JDBCAppender, separate configurations are required to be done.
- JDBCAppender class is not consumed in code for eNAS.
- As JDBCAppender class is not consumed, the vulnerability that is related with its usage does not affect the product.
|
2/17/2022 |
| Apache Chainsaw |
CVE-2022-23307 |
A deserialization issue is present in Apache Chainsaw. |
- Chainsaw is a supporting application for Log4j. It is a GUI-based log viewer that can read log files in Log4j’s XMLLayout format.
- By default, it listens for LoggingEvent objects sent using the SocketAppender and displays them in a table. The events can be filtered based on Level, Thread name, Logger, Message, and NDC.
- Log4j is not configured to use Chainsaw by default. No separate configurations have been made to configure ChainSaw to be used in eNAS.
- For eNAS, the code does not consume Chainsaw APIs.
- Apache Chainsaw listens to the logging objects sent on SocketAppender, but eNAS does not have SocketAppender configured.
- By default SocketAppender is not enabled for Log4j and requires explicit configuration for its usage.
|
2/17/2022 |