RedSeal Response to Log4j Vulnerability
Dear Customer,
The purpose of this message is to outline the steps you can take using your RedSeal system to:
- Get the list of hosts and devices that have the Log4j vulnerability
- This list can be exported into a ticketing system or provided as a spreadsheet to your mitigation teams
- Gain visibility into the access from and to Untrusted Sources to the vulnerable hosts and devices
- Use the actionable insights to put in place compensating controls to mitigate the risk
RedSeal is aware of the recent vulnerabilities related to Log4j, and RedSeal Classic software is not vulnerable. Please contact our RedSeal support at support@redseal.net if you have more questions.
This note applies to customers using RedSeal and importing vulnerability data into RedSeal from scanners and the customer.
Prerequisites:
- Updated the scan vendor’s product so that the Scan Library includes the Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-4104
- Completed either a partial scan, or ideally a “Full Scan” of the network
- Downloaded the latest RedSeal TRL that includes the above-mentioned vulnerabilities
- This was published on the RedSeal Support site on 12-17-2021 at 2pm Pacific Standard Time
- Perform a Data Collection task on your Scanner
- Run RedSeal analysis
These Steps show the processes to identify vulnerable hosts and devices, and then show Untrusted Source access to hosts and devices, and also the access from the hosts and devices to an untrusted destination. This is important in being able to prioritize your mitigation efforts.
The Methodology is called Discover Investigate and Act. In the case of Log4j: Discover infected devices and host, Investigate access paths to and from untrusted areas, and then provide data to immediately Act upon.
Update from December 15, 2021:
This note is the second update related to the Log4j vulnerability and impact on the RedSeal Classic product.
RedSeal is aware of the two additional vulnerabilities (CVE-2021-45046 and CVE-2021-4104) impacting the Apache Log4j utility reported on December 14, 2021. We have analyzed both disclosures, but neither changes the conclusions as per our message on December 13, 2021. All versions of RedSeal Classic are not vulnerable to the three reported CVEs.
As a proactive measure, RedSeal will be upgrading the Log4j beginning RedSeal 9.5.3 and forward and send additional communication via email and post updates on the RedSeal support portal.
If you have further questions, please contact RedSeal support at support@redseal.net.
Original Message December 13, 2021:
RedSeal is aware of the recent vulnerability (CVE-2021-44228) impacting the Apache Log4j2 utility reported on December 10, 2021. Log4j2 is a popular open-source, Java-based logging framework commonly incorporated into Apache web servers and many other java applications.
In all versions of RedSeal, the JDK environment ships with a default setting that prevents exploitation of the above-reported vulnerability. External research by CrowdStrike and others indicate that certain JDK’s include a setting that prevents exploitation, and RedSeal Classic is built on one of the improved JDK versions.
RedSeal engineering is continuing further testing and evaluation and will be communicating if there are any further steps customers should take on RedSeal support portal.
If you have further questions, please contact RedSeal support at support@redseal.net.