2021-12-10 09:01 PM - edited 2022-01-07 08:45 PM
RSA has been made aware of several vulnerabilities affecting Apache Log4j2.
Recent Log4j2 disclosures:
Log4j2 is an open-source Java-based logging utility used in enterprise and cloud applications. An attacker could use this vulnerability to take control of affected systems. We are reviewing the impact to our products.
The following components are not vulnerable to the recent Log4j2 disclosures and are not affected:
We are continuing to review, analyze and monitor our components to ensure that there is no impact.
SecurID recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability. Software changes, including security updates, are carefully evaluated for impact to overall system reliability.
Third-Party Embedded Components:
The following components included a third-party update which is not used, but contained an embedded version of Log4j2 version 2.11:
This embedded version of Log4j2 version 2.11 is neither used nor exploitable as confirmed by our third-party vendor, though vulnerability scanners may identify the library as vulnerable. We are evaluating vendor recommendations on the removal of these unused libraries as an interim measure. We will evaluate and incorporate updates as received from our vendors.
All components and packaged products listed above utilize a Java Runtime Environment (JRE) that has mitigations against this and other attacks.
SecurID Developed Components:
Components developed by SecurID do not utilize any of the Log4j2 libraries (i.e., no log2j version 2.x libraries are included).
SecurID Cloud Authentication Service
No log4j interfaces of any version are used in the product. The component is based on a different logging framework core.
SecurID Authentication Manager
This component utilizes a SecurID internally maintained and supported version of a log4j 1.2.x library separate and distinct from the Apache branch. This is a SecurID internal, special-purpose implementation and has no known, exploitable vulnerabilities.
SecurID Governance and Lifecycle
This component utilizes specific interfaces in a publicly available version of a log4j 1.2.x library. Only basic logging interfaces are utilized. The vulnerable classes are not used by the solution and the solution does not provide external access to the logging configuration.
Frequently Asked Questions:
Q: What should I do if I've already applied SecurID Authentication Manager 8.6 Patch 1?
This version is not vulnerable to this issue. This version contains several critical security updates.
Q: What if I am using SecurID G&L: Data Reach?
This component is not vulnerable to this issue.
Q: Is RSA Access Manager vulnerable?
The RSA Access Manager component is not vulnerable to this issue. Primary support for RSA Access Manager has ended, with Extended Support Level 2 available. Please refer to the Product Version Life Cycle for more information.
Q: What if I have an Integrated Dell Remote Access Controller (iDRAC) on my appliance?
This component is not vulnerable to this issue. Please refer to the Dell response to the Apache Log4j remote code execution vulnerability (CVE-2021-44228).
Q: What about other Log4j defects?
As of this advisory, none of the above listed components have outstanding, unmitigated vulnerabilities related to Log4j.
The following table summarizes prior Log4j issues:
|CVE and Summary||CVSSv3||Technical Details|
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data.
|9.8||No SecurID components utilize the affected SocketServer class.|
Improper validation of certificate with host mismatch in Apache Log4j “SmtpAppender” class.
|3.7||No SecurID components utilize the affected SmtpAppender class. AM custom version does not contain the vulnerable class.|
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write-access to the Log4j configuration.
|8.1||No SecurID components utilize the affected JMSAppender class. Requires the threat-actor have root privilege (i.e., write access to server files).|
We are continuing to monitor these vulnerabilities. As we continue to review, RSA systems will be updated with the latest indicators of compromise (IOCs) and will continuously monitor any use of this software in our environments.
This page will be updated with relevant information as RSA deems necessary. Please check back regularly for more information or direct specific concerns to your RSA Account Manager and/or RSA Customer Support representative.
Read and use the information in this RSA Customer Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Customer Support. RSA Security LLC and its affiliates distribute RSA Customer Advisories in order to bring to the attention of users of the affected RSA products important product information.
RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.
In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.