Evaluation of the Log4J / CVE-2021-44228 vulnerability

Announcements
, , , ,
1

Evaluation of the Log4J / CVE-2021-44228 vulnerability

Copyright (c) 2021 OpenLink Software support@openlinksw.com
Date: Mon Dec 13 2021

Introduction

CVE-2021-44228, also known as the Log4Shell 0-day vulnerability, is the name given to a critical zero-day vulnerability that surfaced last Friday, December 10, 2021, when it was exploited in the wild in remote-code compromises.

Here is a brief description of the vulnerability courtesy of the Juniper Threat labs:

image

In this document we will document whether any OpenLink Software products are vulnerable and, if so, how the threat can be mitigated.

OpenLink Universal Data-Acces (UDA)

OpenLink Universal Data-Access Multi-tier components

All UDA Multi-tier components, such as the Request Broker, the Multi-tier Database agents, the Admin Assistant and the Multi-tier ODBC driver, are written in C, and therefore, they are not affected by this bug.

Our logging method does not allow for fetching and executing arbitrary payload from a remote service which is the root cause of this vulnerability.

OpenLink Universal Data-Access Single-tier components

All UDA single-tier drivers are written in C and therefore not vulnerable.

Our logging method does not allow for fetching and executing arbitrary payload from a remote service which is the root cause of this vulnerability.

OpenLink Universal Data-Acces JDBC Drivers

The UDA JDBC drivers do not use the Log4J API, and are not vulnerable to this style of attack.

NOTE: A third party Java application using the above driver could be installed with, or use a broken version of, the Log4J API. You should check with the vendor of that application to make sure it is not vulnerable.

OpenLink Universal Data-Access JDBC Bridges

The JDBC Bridges are not vulnerable to this type of attack, as they use our internal logging code which does not allow for fetching and executing arbitrary payload from a remote server/service.

NOTE: A third party JDBC driver, that itself uses a broken version of the Log4J API, could be vulnerable. You should check with the vendor of that driver to make sure it is not vulnerable.

OpenLink Virtuoso

The following paragraphs are relevant for all releases of both Commercial and Open Source versions of Virtuoso.

OpenLink Virtuoso Engine

The Virtuoso Engine is written in C and uses our own logging API which does not allow for fetching and executing arbitrary payload from a remote server/service.

Virtuoso ODBC drivers

The Virtuoso ODBC drivers are written in C and use our own logging API which does not allow for fetching and executing arbitrary payload from a remote server/service.

Virtuoso JDBC drivers

The Virtuoso JDBC drivers do not use the Log4J API, and are not vulnerable to this style of attack.

NOTE: A third party Java application using the above driver could be installed with, or use a broken version of, the Log4J API. You should check with the vendor of that application to make sure it is not vulnerable.

Virtuoso Jena, Sesame, and RDF4J providers

These providers do not use the Log4J API, and are not directly vulnerable to this style of attack.

NOTE: A Java application using any of the above frameworks could be installed with, or use a broken version of, the Log4J API, and therefore could be vulnerable. You should check with the vendor of that application to make sure it is not vulnerable.

Cloud images

Virtuoso Docker images

We scanned the packages installed on our Docker images and none of them install a version of the broken log4j.jar or log4j2.jar file or any of the packages flagged by RedHat or Ubuntu as being vulnerable.

Virtuoso PAGO and BYOL images on EC2 and Azure

We scanned the packages installed on our EC2 and Azure images and non of them have a version of the log4j.jar or log4j2.jar file installed, or any of the packages flagged by RedHat or Ubuntu as being vulnerable.

OpenLink DBpedia images on EC2 and Azure

We scanned the packages installed on our EC2 and Azure images and none of them have a version of the log4j.jar or log4j2.jar file installed, or any of the packages flagged by RedHat or Ubuntu as being vulnerable.

OpenLink Data Junction Box

We scanned the packages installed on our EC2 and Azure images and none of them have a version of the log4j.jar or log4j2.jar file installed, or any of the packages flagged by RedHat or Ubuntu as being vulnerable.

See Also: