This security advisory provides customers with an update on how Netsweeper services are affected by the Apache Log4j vulnerability (CVE-202 1-44228). This vulnerability has been referred to as Log4Shell by some outlets.
What is this vulnerability?
A Remote Code Execution (RCE) vulnerability was discovered in the popular Java logging library, Log4j. This industry-wide security vulnerability allows for an unauthenticated adversary to execute code on systems that have this library deployed, by providing specific crafted content. This is a serious vulnerability that affects many software products and online services.
This security advisory provides customers with an update on how Netsweeper services are affected by the Apache Log4j vulnerability (CVE-2021-44228). This vulnerability has been referred to as Log4Shell by some outlets.
How does this vulnerability affect Netsweeper?
Netsweeper utilizes Apache Log4j in a subset its product (Directory Sync, Setup Wizard). This vulnerability was revealed on Thursday, December 9, 2021. We are actively monitoring this issue.
In response, we activated our incident response process and immediately investigated the use of Log4j across Netsweeper products. As a result:
- We identified and triaged all Log4j deployments in all our products and have confirmed that the used versions of Log4j do not exhibit the documented vulnerability.
- Where possible, we have also mitigated this vulnerability by deploying rules to block malicious exploitation. However, we recognize these rules are not 100% effective and they are only a secondary level of mitigation.
- We are continuing to monitor this issue and will determine whether additional action is required.
What actions should I take?
- Users of Netsweeper services do not need to take any action at this time.
- Users of custom products developed under Professional Services agreements are responsible for their own security updates, but should review their agreement as appropriate, and validate use of the Log4j component if one exists.
- We also strongly recommend customers evaluate their own use of the Apache log4j logging library in conjunction with our products in any custom apps or integrations you may have developed or deployed.
- If use of a vulnerable version is identified, we strongly recommend upgrading to the fixed version provided by the Apache Software Foundation, or implementing a vendor-recommended mitigation.
Where can I find more information?
Additional information on this vulnerability can be found here:
- Apache Software Foundation: Apache Log4j Security Vulnerabilities
- National Vulnerability Database: CVE-2021-44228