Apache Log4j vulnerability CVE-2021-44228/CVE-2021-45046 impact on RTI Connext products

[UPDATED: 28 January 2022, added information about CVE-2022-23302, CVE-2022-23305, CVE-2022-23307, and updated the CVSS scores with the latest information]

 

The security and integrity of the systems built using the RTI Connext DDS products is of the utmost importance to us.  Periodically we will inform you of any newly identified vulnerabilities in our software. 

 

Summary

RTI Micro Application Generator versions 1.0.0 and 1.0.1 are affected by the Apache Log4j vulnerability CVE-2021-44228/CVE-2021-45046/CVE-2021-45105/CVE-2021-44832. No other RTI product is affected. You can find further details below.

 

Details

The Apache Software Foundation released a security advisory to address several vulnerabilities found in the Java logging library Apache Log4j. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services:

  • In Log4j versions 2.0-beta9 to 2.14.1: Remote code execution vulnerability (CVE-2021-44228, CVSS Score: 10, Impact: Critical). A remote attacker could exploit this vulnerability to take control of an affected system.

  • In Log4j versions 2.0-beta9 to 2.15: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations ( CVE-2021-45046, CVSS Score: 3.7, Impact: Low). 

  • In Log4j versions  2.0-alpha1 through 2.16.0: Lack of protection from uncontrolled recursion from self-referential lookups (CVE-2021-45105, CVSS Score: 5.9, Impact: Medium). This allows an attacker with control over Thread Context Map data to cause a denial of service.

  • In Log4j versions 2.0-beta7 through 2.17.0: These versions are vulnerable to a remote code execution attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server (CVE-2021-44832, CVSS Score: 6.6, Impact: Medium).

  • In Log4j version 1.x: JMSAppender is vulnerable to deserialization of untrusted data (CVE-2021-4104, CVSS Score: 7.5, Impact: High). This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JMS Broker.

  • In Log4j versions 1.x: JMSSink is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to (CVE-2022-23302, CVSS Score: 8.8, Impact: High).

  • In Log4j versions 1.2.x:  A SQL injection flaw in JDBCAppender allows the data being logged to modify the behavior of the component  (CVE-2022-23305, CVSS Score: 9.8, Impact: Critical). 

  • In Log4j versions 1.2.x: Deserialization issue present in the Apache Chainsaw component that was included as part of Log4j 1.2.x (CVE-2022-23307, CVSS Score: 9.8, Impact: Critical).

The following table summarizes the versions of Log4j used by RTI products and the impact of these issues on RTI products:

 

Log4j version

RTI Products using Log4j

Impact

1.2

RTI Administration Console

RTI Monitor

RTI Code Generator 

RTI Code Generator Server

(All versions)

No

These products are not affected by CVE-2019-17571/CVE-2021-4104/CVE-2022-23302/CVE-2022-23305/CVE-2022-23307 as we do not use the affected components. 


These products are not affected by CVE-2021-44228/ CVE-2021-45046/CVE-2021-45105/CVE-2021-44832.

1.2.15

Recording Console (Version 5.2.0 and below)

1.2.16

Distributed Logger (All versions)

2.11.0

RTI Micro Application Generator (Versions 1.0.0 and 1.0.1)

Limited - see further^

 

^Products affected by CVE-2021-44228/CVE-2021-45046/CVE-2021-45105/CVE-2021-44832

  • RTI Micro Application Generator (MAG) versions 1.0.0 and 1.0.1. Micro Application Generator has been provided to customers as part of the following releases: 

    • RTI Connext Professional 6.0.0 and 6.0.1.

    • RTI Connext Micro 3.0.0, 3.0.1, 3.0.2, and 3.0.3.

Note that RTI Micro Application Generator is a tool used by developers in a local and/or protected environment, with a controlled input (XML file). Once the application finishes processing the input file, its execution concludes. RTI Micro Application Generator is not a service nor web application that runs continuously on a server and to which external users can send requests. 

 

Mitigation

RTI has released patches for RTI Micro Application Generator using Log4j version 2.17.1: 

  • For users of Connext Professional 6.0.1: Patch version 6.0.1.28
  • For users of Connext Micro 3.0.3: Patch version 3.0.3.28

If you are a user of RTI Micro Application Generator, and do not see patch 6.0.1.28 on the RTI Customer portal, contact support@rti.com to request access. If you are unable to install a patch at this time, please consider the following mitigations: 

  • Protect the file system where RTI Micro Application Generator runs so untrusted peers cannot inject malicious modifications to the configuration files used by RTI Micro Application Generator.

  • Apply the mitigation listed in the Apache report

 If you are not a user of RTI Micro Application Generator, you don’t need to take any actions.

 

Security notification list

To receive future Security Notices from RTI, please join our security notification list, by sending an email to security@rti.com.

If you have any questions or concerns, do not hesitate to contact support@rti.com