Log4j2 Zero-Day Vulnerability: What You Need to Know
The Log4j2 security vulnerability only affects organizations running Sage X3 versions 11 and 12. This is due to its integration with Elasticsearch. Vulnerabilities have been reported in Elasticsearch versions 6.8 (for v11), 7.9 and higher. If you are on an earlier version of Sage X3, your Sage X3 system is not impacted by this vulnerability.
Also, as part of Sage and Net at Work installation best practices, Elasticsearch is not exposed to the internal or external networks and is only opened to connections from the Syracuse node—so your risk should already be mitigated. If you are unsure, please feel free to reach out to us.
Sage is currently testing Elasticsearch 7.16.1 which would address this vulnerability. We will share more information as it becomes available.
Impact
Recently, the National Institute of Standards and Technology (NIST) announced a critical security vulnerability (CVE-2021-44228) in Apache’s Log4j2, a popular Java open source logging system by developers of web and server applications. The vulnerability affects a broad range of services and applications on servers, making it extremely dangerous—and the need to update those server applications urgent.
According to the NIST security alert, “Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”
While Sage X3 software is not exposed to the Log4j2 vulnerability, Sage X3 integrates natively with a third-party solution called Elasticsearch. Sage X3 versions 11 and 12 are likely to be integrated with impacted instances of Elasticsearch, but not exposed if Sage X3 published security best practices have been followed. If you are on an earlier version of Sage X3, your Sage X3 system is not impacted by this vulnerability. Also, for those Sage X3 clients using Sage Enterprise Intelligence, please note that SEI is not affected by this vulnerability.
Elasticsearch running on JDK8 or lower may be vulnerable to the information leak piece of the exploit, according to a security announcement from Elastic. To mitigate, it is recommended to set the following JVM option in Elasticsearch:
-Dlog4j2.formatMsgNoLookups=true
This is the same recommendation as published on Sage City for other Sage products.
Elasticsearch 6 and 7 are not susceptible to the remote code execution part of the exploit. If Elasticsearch is properly secured, without remote access, risk should be minimal.
Servers without exposure to the Internet, using current firewalls with updated security and threat detection protocols, and other security devices with current updates should assist in mitigating risk, but there are several communication protocols on which this exploit could be used.
Recommendations
As a general best practice, you should check for and apply any updates for your security devices, as many have released updates to detect and prevent usage of this exploit. Actively monitoring servers for unexpected traffic can help detect if your systems are being targeted.
Additional Resources
For more information about the Log4j2 vulnerability, please refer to the following resources:
- Apache Log4j2 Vulnerability Guidance published by the Cybersecurity and Infrastructure Security Agency (CISA)
- A list of known impacted applications here.
The severity and understanding of the vulnerability are still being investigated, and information is changing rapidly. We will continue to advise as further recommendations become available. In the meantime, if you have questions, please contact us, our experts are here to help.