Reveal Response to CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 – Apache Log4j Remote Code Execution Vulnerabilities

Reveal has investigated the remote code execution vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) related to Apache Log4j, a logging tool used in many Java-based applications, published throughout December, 2021. As the industry at large continues to gain a deeper understanding of the impact of this threat, we will publish technical information to help customers detect, investigate, and mitigate attacks. We will update this article with information and protection details as they become available.

In addition to monitoring the threat landscape for attacks and developing customer protections, our security teams have conducted an investigation of our products and services as it relates Apache Log4j and have taken quick and decisive action to mitigate risk. Our first and foremost priority is our valued clients, and we will continue taking all necessary steps to ensure transparency and security.

 

Confidentiality, Integrity, and Availability of Client Data in Reveal’s SaaS 

Reveal does not have any reason to believe that any data has been accessed, modified, or otherwise affected as part of this vulnerability.

Overview of Reveal’s Response

Due to the wide-reaching nature of this vulnerability, Reveal prioritized our response in accordance with overall risk of an affected product or service. We initially focused our mitigation efforts on those products and services that were directly accessible from the public Internet, which could have resulted in attacks performed without needing to authenticate as a legitimate user. Next, we focused on those products and services that were public Internet-facing where exploitation would have required authentication. Lastly, we focused on those vulnerabilities that were not exposed to the public Internet and would have had a lower likelihood of being exploited.

Reveal’s team continues to monitor our products and new information related to these vulnerabilities to ensure our products are as safe and secure as possible for our clients.

Brainspace

Brainspace is the only Reveal software that has public Internet-facing components that use Java. All modern versions of Brainspace make use of affected versions of log4j. Our testing has shown that there are both authenticated and unauthenticated vulnerabilities for CVE-2021-44228 and CVE-2021-45046 present in all current versions of Brainspace released before December 9, 2021. Our security team has investigated Brainspace’s exposure to CVE-2021-45105 / CVE-2021-44832 and we have found no evidence that Brainspace is vulnerable to these issues. Brainspace does not use Context Lookup variables (the vulnerable mechanism within CVE-2021-45105) within any logging configuration files present in the application. An attacker cannot control or modify the log4j configuration file as is a requirement for CVE-2021-44832.

Reveal has released patched versions of Brainspace that use version 2.16 of log4j that are not subject to CVE-2021-44228 or CVE-2021-45046. Brainspace connectors are also impacted, and new versions are being released in conjunction with each new version of the Brainspace application. The chart below details the version numbers that are vulnerable along with patched version numbers.

Out of an abundance of caution, Reveal has released new versions of Brainspace with log4j 2.17.1 to address CVE-2021-45105 and CVE-2021-44832.

Major Version

Vulnerable Versions

Notes

6.5

<= 6.5.5

Version 6.5.6 (log4j 2.16), available from support

Version 6.5.7 (log4j 2.17.1), available from support

6.4

<= 6.4.1

Version 6.4.2 (log4j 2.16), available from support

Version 6.4.3 (log4j 2.17.1), available from support

6.3

<= 6.3.3

Version 6.3.4 (log4j 2.16), available from support

Version 6.3.5 (log4j 2.17.1), available from support

6.2

All Versions

Upgrade to 6.5 required

6.1

All Versions

Upgrade to 6.5 required

 

Immediate Mitigation Strategies for Brainspace On-Premise Clients 

Prior to applying the patched version of Brainspace, we recommend that customers take the following immediate actions to help protect their environments:

Primary Mitigation Technique:

This technique is recommended by Apache and was released as part of the CVE description. At this time, it is believed by the industry that this technique alone should mitigate the risk of this vulnerability. As always, a defense in-depth strategy will provide better assurance of mitigation until a patched release can be provided.

Additional Mitigation Techniques:

These additional techniques can be implemented to help provide defense in-depth against this vulnerability while our team works diligently to provide patched releases of Brainspace.

  • Implement Web Application Firewall (WAF) rules to block attacks. You will want to work with your security vendor to set these appropriately and continue to monitor and update them as more information becomes known about this vulnerability.
  • Block all outbound traffic from your Brainspace environment unless this traffic is specifically required for business functionality.
  • Block unused API endpoints to limit attack surface area. Please contact Reveal Support at https://support.revealdata.com or support@revealdata.com and a member of our technical team will assist you with this process.

Now that patched versions are available, our team will be reaching out to clients to schedule an upgrade.

Mitigation Tactics for Brainspace in Reveal SaaS 

Reveal has already completed the following steps to mitigate the vulnerability in the Reveal SaaS environment:

  • Implemented Web Application Firewall (WAF) rules that detect attempted attacks and prevent this communication from being sent to our backend servers. (Completed Dec 12)
  • Reveal’s security policy has always required that all traffic into or out of our servers must be restricted using a least-privilege policy. Unless there is a business requirement, no traffic will be allowed into or out of our servers. One of the best strategies for mitigating this vulnerability is by restricting outbound communication with untrusted servers. Reveal has undertaken an effort this weekend to validate that all environments are in alignment with our least-privilege policy. We do not allow outbound traffic to untrusted servers. (Completed Dec 12)
  • Disabled unused API endpoints to narrow the attack surface. (Completed Dec 12)
  • Disabled parts of the log4j software that run on Brainspace servers in our SaaS environment. (Completed Dec 13)

Reveal is currently in process of scheduling upgrades to our environments to apply the patched versions of Brainspace.

Non-Impacted Reveal Software Modules 

Reveal AI does use Java as part of the backend AI pipeline, machine learning, and other AI functions. These functions are not public-Internet facing and are not using the affected log4j libraries.

Neither Reveal Review nor Reveal Processing use java and are not using the affected log4j software.

Third-Party Software Used in Reveal’s SaaS or as Prerequisites for the Reveal Platform 

Based on Reveal’s initial and thorough investigation, along with public information, we’ve identified the below third-party software products as being “Impacted” or “Not Impacted.” Please continuously check the section for updates as this is a fast-moving situation.

Not Impacted: KeyCloak

Reveal uses a third-party platform for providing SAML, OpenID Connect, and other single sign-on authentication services. KeyCloak is required for Reveal Review and Reveal AI (when using Reveal SSO capabilities). KeyCloak is used by SaaS and on-premise clients. KeyCloak is not vulnerable to this log4j vulnerability. 

Impacted: ElasticSearch 

Reveal uses a third-party software, ElasticSearch to provide full-text searching capabilities as part of our platform. ElasticSearch is required for Reveal Review in SaaS and on-premise. 

The versions of ElasticSearch supported by the Reveal platform use the vulnerable log4j library. ElasticSearch is not generally available to the public-facing Internet but is used by the backend software for Reveal Review.

Reveal has applied an update to our SaaS environment to disable the affected components within the log4j library.

For those with an on-premises installation of ElasticSearch, the mitigation will be to delete the affected class file from the jar. The steps to complete remediation and secure your instance can be found on Apache’s website, https://logging.apache.org/log4j/2.x/security.html. This guidance is similar to our advice for remediating Brainspace. Our support team can help answer any questions that you may have about this process.

Future releases of Reveal Review will support the most current releases of ElasticSearch that will use the most up-to-date versions of the log4j library.

Not Impacted: CrushFTP – files.revealdata.com / files-XX.revealdata.com 

Reveal uses a third-party product, CrushFTP to offer SFTP and file transfer services to clients in our SaaS. CrushFTP is not vulnerable to this log4j vulnerability.

Ongoing Investigation

Investigation and mitigation efforts are ongoing. Please check this page often for information that may have changed. Our team will be working diligently to pass along information as it becomes available. Please contact your Sales representative or Customer Success Manager if you have any questions or concerns.

Background of Log4j

 

The vulnerability, tracked as CVE-2021-44228 and referred to as “Log4Shell,” affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1. Log4j 2 is a Java-based logging library that is widely used in business system development, included in various open-source libraries, and directly embedded in major software applications. The scope of impact has expanded to thousands of products and devices, including Apache products such as Struts 2, Solr, Druid, Flink, and Swift. Because this vulnerability is in a Java library, the cross-platform nature of Java means the vulnerability is exploitable on many platforms, including both Windows and Linux. As many Java-based applications can leverage Log4j 2, organizations should contact application vendors or ensure their Java applications are running the latest up-to-date version. Developers using Log4j 2 should ensure that they are incorporating the latest version of Log4j into their applications as soon as possible in order to protect users and organizations.

(Published: 11 January 2022)

*/