Apache Log4j vulnerability CVE-2021-44228/CVE-2021-45046 impact on RTI Connext products

[UPDATED: 12 January 2022, added information about CVE-2021-44832]

 

The security and integrity of the systems built using the RTI Connext DDS products is of the utmost importance to us.  Periodically we will inform you of any newly identified vulnerabilities in our software. 

 

Summary

RTI Micro Application Generator versions 1.0.0 and 1.0.1 are affected by the Apache Log4j vulnerability CVE-2021-44228/CVE-2021-45046/

CVE-2021-45105/CVE-2021-44832. No other RTI product is affected. You can find further details below.

 

Details

In December 2021 the Apache Software Foundation released a security advisory to address three vulnerabilities found in the Java logging library Apache Log4j. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services:

  • In Log4j versions 2.0-beta9 to 2.14.1: Remote code execution vulnerability (CVE-2021-44228, CVSS Score: 10, Impact: Critical). A remote attacker could exploit this vulnerability to take control of an affected system.

  • In Log4j versions 2.0-beta9 to 2.15: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations ( CVE-2021-45046, CVSS Score: 3.7, Impact: Low). 

     

  • In Log4j versions  2.0-alpha1 through 2.16.0: Lack of protection from uncontrolled recursion from self-referential lookups (CVE-2021-45105, CVSS Score: 7.5, Impact: High). This allows an attacker with control over Thread Context Map data to cause a denial of service.

  • In Log4j version 1.x: JMSAppender is vulnerable to deserialization of untrusted data (CVE-2021-4104, CVSS Score: 6.6, Impact: Moderate). This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JMS Broker.

     

  • In Log4j versions 2.0-beta7 through 2.17.0: These versions are vulnerable to a remote code execution attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server (CVE-2021-44832, CVSS Score: 6.6, Impact: Medium).

The following table summarizes the versions of Log4j used by RTI products and the impact of these issues on RTI products:

 

Log4j version

RTI Products using Log4j

Impact

1.2

RTI Administration Console

RTI Monitor

RTI Code Generator 

RTI Code Generator Server

No

These products are Not affected by CVE-2021-4104 as we do not use JMSAppender. These versions are not affected by CVE-2021-44228/ CVE-2021-45046/CVE-2021-45105/CVE-2021-44832.

1.2.15

Recording Console

1.2.16

Distributed Logger

2.11.0

RTI Micro Application Generator

Limited - see further^

 

^Products affected by CVE-2021-44228/CVE-2021-45046/CVE-2021-45105/CVE-2021-44832

  • RTI Micro Application Generator (MAG) versions 1.0.0 and 1.0.1. Micro Application Generator has been provided to customers as part of the following releases: 

    • RTI Connext Professional 6.0.0 and 6.0.1.

    • RTI Connext Micro 3.0.0, 3.0.1, 3.0.2, and 3.0.3.

Note that RTI Micro Application Generator is a tool used by developers in a local and/or protected environment, with a controlled input (XML file). Once the application finishes processing the input file, its execution concludes. RTI Micro Application Generator is not a service nor web application that runs continuously on a server and to which external users can send requests. 

 

Mitigation

RTI will provide a patch for RTI Micro Application Generator using Log4j version 2.17.1. 

If you are a user of RTI Micro Application Generator, a patch will soon be available on the RTI Customer portal or contact [email protected] to request access to this patch. If you are unable to install a patch at this time, please consider the following mitigations: 

  • Protect the file system where RTI Micro Application Generator runs so untrusted peers cannot inject malicious modifications to the configuration files used by RTI Micro Application Generator.

  • Apply the mitigation listed in the Apache report

 If you are not a user of RTI Micro Application Generator, you don’t need to take any actions.

 

Security notification list

To receive future Security Notices from RTI, please join our security notification list, by sending an email to [email protected].

If you have any questions or concerns, do not hesitate to contact [email protected]