** Note, this is an evolving document, so please be advised to check back for updates. Last revised on 21/Dec/2021 at 12:49pm CET **
On Friday, December 10th a new exploit in the “log4j” Java logging framework was reported, that can be easily exploited. This vulnerability is caused by a new feature introduced in log4j 2.x versions where a specific string embedded in messages logged by log4j would be interpreted by log4j to connect to remote sites and execute code directly.
Like many software providers, Guardsquare makes use of the log4j dependency in some of our commercial and open-source products. The table below provides a quick summary of impacted products, the affected version(s), the version where we have updated the log4j dependency to newer versions which are not vulnerable, and any recommended action required if you use an affected product.
ProGuard
Update to most recent versions of ProGuardCORE or ProGuard beta.
ProGuard is only affected at build time, priority of upgrading should be treated similarly to other internal development tools, unless you make use of ProGuardCORE open-source as part of another project with different risk exposure.
| CVE | Affected Version(s) | Fixed Version |
|---|---|---|
| CVE-2021-44228 | ProGuardCORE 8.0.0 ProGuardCORE 8.0.1 ProGuard 7.2.0-beta1 ProGuard 7.2.0-beta2 |
ProGuardCORE 8.0.2 ProGuard 7.2.0-beta3 Released 13/Dec/2021 |
| CVE-2021-45046 | ProGuardCORE 8.0.2 ProGuard 7.2.0-beta3 |
ProGuardCORE 8.0.3 ProGuard 7.2.0-beta4 Released 15/Dec/2021 |
| CVE-2021-45105 | ProGuardCORE 8.0.3 ProGuard 7.2.0-beta4 |
ProGuardCORE 8.0.4 ProGuard 7.2.0-beta5 Released 21/Dec/2021 |
DexGuard
Update to most recent versions of DexGuard based on your risk assessment of the relevant CVEs.
DexGuard only makes use of log4j at build time, priority of upgrading should be treated similarly to other internal development tools that make use of log4j.
| CVE | Affected Version(s) | Fixed Version |
|---|---|---|
| CVE-2021-44228 | 9.1.9 → 9.2.6 | 9.2.7 Released 14/Dec/2021 |
| CVE-2021-45046 | 9.2.7 | 9.2.8 Released 15/Dec/2021 |
| CVE-2021-45105 | 9.2.8 | 9.2.9 Released 20/Dec/2021 |
ProGuard Playground
No action required, AppSweep has been remediated by updating to a newer version of log4j.
| CVE | Affected Version(s) | Fixed Version |
|---|---|---|
| CVE-2021-44228 | N/A | Released 13/Dec/2021 |
| CVE-2021-45046 | N/A | Released 15/Dec/2021 |
| CVE-2021-45105 | N/A | Released 21/Dec/2021 |
AppSweep
No action required, AppSweep has been remediated by updating to a newer version of log4j.
| CVE | Affected Version(s) | Fixed Version |
|---|---|---|
| CVE-2021-44228 | N/A | Released 11/Dec/2021 |
| CVE-2021-45046 | N/A | Released 14/Dec/2021 |
| CVE-2021-45105 | N/A | Released 20/Dec/2021 |
The following Guardsquare products do not use log4j and are not affected by CVE-2021-44228 or CVE-2021-45046:
- Does not impact the iXGuard product which does not rely on Java or the log4j logging framework
- Does not impact the ThreatCast service which does not rely on Java or the log4j logging framework
- Does not impact the Guardsquare Customer Portal, which does not rely on Java or the log4j logging framework
For more information on our products, or advice on upgrading your use of our products, please contact our support team – support@guardsquare.com
Frequently Asked Questions
I am using DexGuard or ProGuard downloaded in my development environment; is it susceptible to CVE-2021-44228 and CVE-2021-45046 and CVE-2021-45105?
When DexGuard or ProGuard are used internally in your development environment, as is usually the case, the risk of exploitability is lower than with a public facing web service that uses log4j. In order to exploit the vulnerability a malicious actor would need to have access to the build system where DexGuard or ProGuard is run to introduce the necessary inputs that trigger this vulnerability. As a result, the exploitability is low and could be further mitigated through additional controls in your software development environment.
Does the use of log4j by DexGuard impact DexGuard at build time only, or build time and run time?
DexGuard only makes use of the log4j component at build time, logging various output of the build/processing steps of DexGuard. Log4j is not used by the protections or libraries of DexGuard at runtime, so your applications protected by DexGuard will not be impacted.
What is the difference between CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105?
CVE-2021-44228 is a critical vulnerability in the Apache Log4j2 logging framework that affects software using Apache Log4j2 <= 2.14.1. It means vulnerable software packages could result in an attacker who can use input to influence log messages and generate parameters that result in execution of arbitrary code loaded from LDAP servers when message lookup substitution is enabled. This presents the greatest risk to internet-facing services and can be mitigated through a variety of controls or remediated by upgrading to Apache Log4j2 2.15.0 or greater.
CVE-2021-45046 is a new vulnerability and is the result of the fix for CVE-2021-44228 in the Apache Log4j 2.15.0 package being incomplete in certain non-default configurations. This could allow crafted malicious input to result in a denial of service (DOS) attack. Like the related CVE this presents greater risk to internet-facing services.
CVE-2021-45105 is a continuation of the log4j vulnerabilities and is the result of prior versions of Apache Log4j2 (2.0-alpha1 through 2.16.0, excluding 2.12.3) not protecting from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.