Asgardeo’s Response to the Log4j2 Zero-Day Vulnerability
- Nilmini Perera
- Senior Technical Writer - WSO2
A Zero-Day vulnerability occurred recently on Log4j2 core (CVE-2021-44228), which could potentially allow malicious actors to penetrate systems through remote code execution.
Here’s a quick recap on how Asgardeo responded to this vulnerability to ensure that all its environments and users are safe.
WSO2 was notified about this exploitation on December 10, 2021. We immediately performed a detailed analysis of our environments and by December 13, 2021 we ensured that Asgardeo is safe from this vulnerability.
While working on CVE-2021-44228, we also identified the follow-up exploits CVE-2021-45046 and CVE-2021-45105. We have responded to these new vulnerabilities and already taken measures to mitigate any threat.
Impact on Asgardeo
Let’s look at what these Log4j2 vulnerabilities mean to Asgardeo and its users. Log4j2 is a Java-based logging framework, which is used extensively for logging purposes in Agardeo. These logs are used for monitoring, debugging, and analytics.
There is no evidence that Asgardeo is compromised by these vulnerabilities. However, as instructed by the WSO2 security and compliance team, we took all the measures described below to avoid the possibility of any kind of compromise.
How We Have Responded
Our first priority was to take sufficient measures to prevent the possibility of an immediate attack. We took the following steps within a few hours:
- We first analyzed all the Log4j2 versions used in Asgardeo’s cloud components.
- We then upgraded the Log4j2 version to 2.16 wherever possible and removed the vulnerable JndiLookup class in components that are still not upgraded to version 2.16 (this is also recommended in the Log4j2 security instructions).
We have tested and confirmed the solutions explained above and ensured that all functionalities are working as intended.
As a part of this effort, we will eventually migrate all components in Asgardeo to Log4j2 version 2.17.
CVE-2021-45046 was discovered after initially migrating Log4j2 versions in Asgardeo to 2.15.0. This vulnerability is also mitigated in Asgardeo as we have now upgraded the Log4j2 versions to 2.16.0 wherever possible. Further, we have removed the JndiLookup class from the Log4j2 core JAR in the components that are still not upgraded to version 2.16.0.
Please note that we are also aware of CVE-2021-45105, which affects Log4j2 version 2.16. We have already analyzed this vulnerability and confirmed that components of Asgardeo are not affected. However, as explained above, we are already working on upgrading all components in Asgardeo to log4j2 version 2.17 in which CVE-2021-45105 is fixed.
Together with the security and compliance team of WSO2, we continue to monitor the situation to identify any further implications of these Log4j2 vulnerabilities.