Log4j Threat Alert

Ian Reay

December 14, 2021

Log4J has issued a level 10 security advisory ( CVE-2021-44228 )  due to an actively exploited zero-day vulnerability. The vulnerability is severe and allows a malicious actor to craft a payload that can trigger the running of arbitrary code on application servers and this library is used extensively in Java-based solutions.

Hitachi ID does not use the affected library directly in any of our solutions and as such the Hitachi ID Bravura Security Fabric is not affected by this issue.

Description

The Log4J vulnerability allows a logging statement to download a potentially malicious payload from a compromised ldap server in one form of this attack and should be treated very seriously. However, the Hitachi ID Bravura Security Fabric solutions are not generally based on java technology. The following exceptions that use Java have been reviewed and are not susceptible to this vulnerability.

Connectors

None of our connectors use log4j explicitly. Any use of log4j could be used in the API required for connecting to each of the different target systems.

The following SQL can be run against the install's database to determine if you use any connectors that are at risk:

SELECT host.id, pagent
FROM platform
JOIN host ON platform.id = host.platform
WHERE pagent IN ( SELECT 'agthpucmdb.exe' UNION ALL SELECT 'agthss.exe' UNION ALL SELECT 'agtjdeow-java.exe' UNION ALL SELECT 'agtrsaam.exe' UNION ALL SELECT 'agtpsfs854.exe' UNION ALL SELECT 'agtpsft849.exe' UNION ALL SELECT 'agtpsft81.exe' UNION ALL SELECT 'agtpsft82.exe' )

If the above statement returns no rows, then none of the connectors your install of the Hitachi ID Security Fabric is affected by this security advisory.

If the above statement does return rows, then some of your connectors may be effected through the use of third-party APIs.  Below is a list of the potentially affected third-party APIs along with more information about who provides the API and who can supply a fix if one is required.  As more information becomes available from each of the third-party API suppliers, this article will be updated.

  • agthpucmdb.exe
    • Vendor: HPE
    • Package: HP Universal Configuration Management Database
    • Link: HPE
    • How to identify path where log4j.jar would be located: Directories under the HPUCMDB_HOME environment variable
  • agthss.exe
    • Vendor: Oracle
    • Package: Oracle Hyperion EPM Shared Services
    • Link: Oracle
    • How to identify path where log4j.jar would be located: hyperionApiPath target address line option
  • agtjdeow-java.exe
    • Vendor: JD Edwards
    • Package: JD Edwards EnterpriseOne client
    • Link: JD Edwards
    • How to identify path where log4j.jar would be located: C:\Program Files\JDEdwards
  • agtrsaam.exe
    • Vendor: RSA
    • Package: RSA Authentication Manager 7.1/8.x Agent
    • Link: RSA
    • How to identify the path where log4j.jar would be located: The rsaApiPath target address line option
  • agtpsfs854.exe, agtpsft849.exe, agtpsft81.exe, agtpsft82.exe
    • Vendor: Oracle
    • Package: PeopleSoft Application Server PeopleTools folder
    • Link: Oracle
    • How to identify the path where log4j.jar would be located: The PeopleSoft PeopleTools folder specified within the PATH environment variable

Apache Guacamole

Apache Guacamole logs through an alternative logging library named slf4j. We are watching this project and if Apache Guacamole provides guidance that there are risks here we will advise known affected customers and update this article.  

API Callers

Hitachi ID's provided API examples call Log4j. These are not production-ready samples and are extended as part of customer engagements. If you are using java-based API callers Hitachi ID would strongly encourage you to review if the implemented solutions are using Log4j.

Hitachi ID Infrastructure

Hitachi ID has patched all our underlying infrastructures based on Java technology.

Severity

As previously stated, this is rated as a level 10 vulnerability and requires immediate action. But as described above, the Hitachi ID Bravura Security Fabric systems are not susceptible to this attack. 

Environment

The Hitachi ID Bravura Security Fabric is not susceptible to this security issue.

Affected Version Details

Please see https://logging.apache.org/log4j/2.x/security.html for further details.

Remediations

Please review vendor guidance for your solutions that might be at risk of this. But we need to stress that the Hitachi ID Bravura Security Fabric is not susceptible to this attack.

Mitigations

Please review vendor guidance for your solutions that might be at risk of this. But we need to stress that the Hitachi ID Bravura Security Fabric is not susceptible to this attack.