Cloudpaging and Cloudpaging CDN are Not Impacted by the Log4J Vulnerability
By now, there’s no doubt you’ve heard of the recent Log4j threat. CVE-2021-44228 is a zero-day vulnerability, publicly released on December 9th, 2021. CVE-2021-44228 has been assigned the highest “Critical” severity rating. This vulnerability would allow an attacker to execute remote code using the JNDI lookup mechanism at the message level.
Cutting right to the chase, we have good news for Numecent customers. We have officially determined the CVE-2021-44228 vulnerability does not impact Cloudpaging Server or Cloudpaging CDN.
We confirmed this JNDI lookup mechanism is not present in the implementation of Log4j used by Cloudpaging Server. Versions of Cloudpaging Server 9.3 and later install with Java 1.8u201, which contains a remote code execution mitigation (also implemented in Java 1.8u121 and later), prevents access to remote resources using the JNDI URL. Even if the JNDI lookup mechanism were in place, Cloudpaging Server would still be protected.
Numecent will continue to monitor and provide updates to the potential impact of the vulnerability on Numecent managed services and on-premises installations.
Customers can view our Cloudpaging Server – Apache Vulnerability Warnings article for a list of known Apache Tomcat vulnerabilities.
Next Steps for Numecent Customers
While Cloudpaging Server is not affected by the recent CVE vulnerabilities, due to the serious nature of the exploits, we have released a software update: Cloudpaging Server 9.4.2 to accompany the latest Log4j version, 2.16.0. The release contains an enhancement to upgrade log4j in Cloudpaging Server and Enterprise Portal to 2.16.0 to alleviate concerns with CVE-2021-44228 and CVE-2021-45046.
This release can be quickly upgraded from previous versions of Cloudpaging Server 9.4. Customers upgrading from versions older than Cloudpaging Server 9.4.0 will need to follow the upgrade note instructions before upgrading Cloudpaging Server to perform any necessary migrations steps.
Numecent’s Approach to Security
Security is of the upmost importance here at Numecent. Distributing digital content can be an inherently insecure exercise. To provide maximum control over your application estate, Cloudpaging enables IT to rapidly deliver, update, reallocate, and rollback software on-demand.
In the case of a security threat, applications can quickly be removed from desktops, patched, and redeployed.
Additionally, Cloudpaging meters all usage, monitoring access into its container by users and the operating system to provide accurate, audit-ready proof that any application usage is accurately and legitimately metered. Its rights management model proactively controls and protects applications from unauthorized use, anti-piracy with or without existing software security, and is fully integrated with our delivery and virtualization technologies to synergistically provide more robust and more sophisticated application security than traditional wrapper mechanisms or ones requiring recompiling of target applications.
These same principles and capabilities carry over to Cloudpaging CDN, ensuring customers have a secure, reliable cloud platform that helps reduce the risk of exploits.
Additional Resources
For ongoing updates on Log4j from Numecent, check out https://numecent.freshdesk.com/support/discussions/topics/1000107938.