Zyxel security advisory for Apache Log4j RCE vulnerabilities

CVEs: CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105

 

Summary

Zyxel is aware of remote code execution (RCE) vulnerabilities in Apache Log4j and confirms that among all its product lines, ONLY NetAtlas Element Management System (EMS) is affected. Users are advised to install the applicable updates for optimal protection.

 

What is the vulnerability?

CVE-2021-44228

Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. If the server uses a vulnerable Log4j to log requests, an attacker who can control log messages or log message parameters can execute arbitrary codes loaded from LDAP servers when message lookup substitution is enabled. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted request to a server running a vulnerable version of Log4j.

CVE-2021-45046

This issue addresses an incomplete fix for CVE-2021-44228 in Apache Log4j version 2.15.0. The flaw could be abused by an attacker to craft malicious input data using a JNDI Lookup pattern resulting in a denial-of-service (DoS) attack.

CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data. This flaw allows a remote attacker to execute arbitrary codes on the server if the deployed application is configured to use JMSAppender.

CVE-2021-45105

The issue affects Apache Log4j versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) that could allow an attacker with control over Thread Context Map data to cause a denial of service (DoS) when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

 

What versions are vulnerable-and what should you do?

After a thorough investigation, we’ve identified only one vulnerable product that is within its warranty and support period, and we will release a hotfix and a patch to address the issue, as shown in the table below.

Affected by Affected model Hotfix availability Patch availability
CVE-2021-44228,
CVE-2021-45105
NetAtlas Element Management System (EMS) Dec. 20, 2021* V02.02.13(AAVV.221)C0 in end of Feb. 2022*

*Please reach out to your local Zyxel support team for the file.

 

If a product is not listed, it is not affected.

 

Update on Jan. 21, 2022

Recent research suggested that the Mirai botnet is abusing the Log4j vulnerability, which indicated that there were scanners in the wild looking for vulnerable Log4j devices from affected vendors.

As the NetAtlas EMS is typically used by internet service providers to manage central office equipment in isolated networks, the attack surface is relatively small. We urge users to install the applicable updates immediately for optimal protection.

 

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

 

Revision history

2021-12-14: Initial release
2021-12-16: Update CVE IDs, vulnerable model, and its patch
2021-12-22: Update CVE IDs
2022-1-21: Update response to recent research on Mirai botnet