ADV-2021-002 - StealthAUDIT Sensitive Data Discovery affected by Log4j vulnerability

netwrix-product-security · December 10, 2021, 8:00pm

Executive Summary

On December 10, 2021, CVE-2021-44228 was published regarding a remote code execution vulnerability in the widely-used Log4j open source library. A vulnerable version of Log4j is used in StealthAUDIT Sensitive Data Discovery.

Our teams are continuing to monitor this vulnerability and will update this security advisory as necessary.

Updates

2022-01-14T18:00:00Z
StealthAUDIT Sensitive Data Discovery has released patches updating Log4j to v2.17.1. Refer to the “Official fixes” section below for additional details. Based on available information we remain confident that customers running a version of StealthAUDIT Sensitive Data Discovery with Log4j 2.15.0 remain protected.

2021-12-23T16:15:00Z
After upgrading to StealthAUDIT Sensitive Data Discovery version 11.5, customers may find that vulnerability scanners trigger on files named sdd-extractor-tika-10.0.0.jar and sdd-extractor-tika-11.0.0.jar. These files are artifacts from prior versions, are not executed by StealthAUDIT Sensitive Data Discovery version 11.5, and may be deleted.

2021-12-20T21:15:00Z
StealthAUDIT Sensitive Data Discovery builds upgrading Log4j to version 2.17.0 have been posted. Refer to the “Official fixes” section below for additional details. Based on available information we remain confident that customers running a version of StealthAUDIT Sensitive Data Discovery with Log4j 2.15.0 remain protected.

2021-12-18T12:55:00Z
We have reviewed CVE-2021-45105 relating to a denial of service vulnerability to Log4j in certain configurations. StealthAUDIT Sensitive Data Discovery does not use a vulnerable configuration and is not exposed to this vulnerability.

2021-12-15T20:00:00Z
Updated StealthAUDIT Sensitive Data Discovery packages which upgrade Log4j to version 2.16.0 have been released. Refer to the “Official fixes” section below. Based on available information we are confident that customers running a version of StealthAUDIT Sensitive Data Discovery with Log4j 2.15.0 remain protected.

2021-12-15T14:45:00Z
On December 14, 2021, CVE-2021-45046 was published and Log4j version 2.16.0 released regarding an incomplete fix for CVE-2021-44228 when certain non-default configurations are used. StealthAUDIT Sensitive Data Discovery does not make use of any of these vulnerable configurations and remains fixed by Log4j version 2.15.0.

Out of an abundance of caution, the StealthAUDIT Sensitive Data Discovery team is preparing and testing a release upgrading Log4j to 2.16.0. We will provide an update to this advisory upon release.

Vulnerability

Information about the vulnerability in Log4j can be found on the project’s website. An adversary with the ability to cause StealthAUDIT Sensitive Data Discovery to scan a maliciously crafted file may obtain remote code execution on the StealthAUDIT server.

Exploitation

There are public reports of active exploitation of this vulnerability, however Stealthbits is unaware of any exploitation targeting StealthAUDIT Sensitive Data Discovery.

Affected Versions

The following products are affected:

StealthAUDIT Sensitive Data Discovery version 10
StealthAUDIT Sensitive Data Discovery version 11
StealthAUDIT Sensitive Data Discovery version 11.5

Solution

StealthAUDIT Sensitive Data Discovery customers are advised to upgrade to the latest StealthAUDIT version as soon as possible.

Official fixes

The maintainers of Log4j released version 2.15.0 which contains fixes for this vulnerability. StealthAUDIT Sensitive Data Discovery has released the following patches, which upgrade Log4j to version 2.15.0:

StealthAUDIT Sensitive Data Discovery version 10.0.0.86
StealthAUDIT Sensitive Data Discovery version 11.0.0.95
StealthAUDIT Sensitive Data Discovery version 11.5.0.44

Subsequently, the maintainers of Log4j released version 2.16.0 which addresses incomplete remediation in of the vulnerability in certain configurations (not used by StealthAUDIT Sensitive Data Discovery). The StealthAUDIT Sensitive Data Discovery patches, which upgrade Log4j to version 2.16.0 are:

StealthAUDIT Sensitive Data Discovery version 10.0.0.87
StealthAUDIT Sensitive Data Discovery version 11.0.0.96
StealthAUDIT Sensitive Data Discovery version 11.5.0.45

On December 18, 2021 the maintainers of Log4j released version 2.17.0 which addresses CVE-2021-45105, which addresses issues when Log4j is used in certain configurations (similar to those addressed by version 2.16.0). These configurations are not used by StealthAUDIT Sensitive Data Discovery. However, we have released updates to StealthAUDIT Sensitive Data Discovery to update Log4j to version 2.17.0:

StealthAUDIT Sensitive Data Discovery version 10.0.0.89
StealthAUDIT Sensitive Data Discovery version 11.0.0.98
StealthAUDIT Sensitive Data Discovery version 11.5.0.47

The maintainers of Log4j released version 2.17.1 which addresses CVE-2021-44832, which addresses a remote code execution vulnerability when the attacker has the capability of modifying Log4j configuration. For StealthAUDIT Sensitive Data Discovery, modifying this configuration would require administrative privileges to the Windows server hosting the application. We have released updates to StealthAUDIT Sensitive Data Discovery to update Log4j to version 2.17.1:

StealthAUDIT Sensitive Data Discovery version 10.0.0.90
StealthAUDIT Sensitive Data Discovery version 11.0.0.100
StealthAUDIT Sensitive Data Discovery version 11.5.0.48

Revisions

Updates to this advisory may be made as necessary. Information about each change will be published in the table below.

Revision	Date	Description
7	2022-01-14T18:00:00Z	Updated for availability of patches upgrading to Log4j 2.17.1
6	2021-12-23T16:15:00Z	Clarification on detections post-upgrade
5	2021-12-20T21:15:00Z	Updated for availability of patches upgrading to Log4j 2.17.0
4	2021-12-18T12:55:00Z	Updated for CVE-2021-45105
3	2021-12-15T20:00:00Z	Updated for availability of patches upgrading to Log4j 2.16.0
2	2021-12-15T14:45:00Z	Updated for CVE-2021-45046
1	2021-12-10T20:00:00Z	First published

Disclaimer

The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.

Topic	Replies	Views
ADV-2021-003 - Netwrix Statement on CVE-2021-44228, the Apache Log4j Vulnerability Netwrix Security Announcements security-advisory	9	December 13, 2021
ADV-2022-003 - Vulnerabilities in Netwrix Auditor Security Advisories security-advisory	32	June 6, 2022
ADV-2025-003 - Exposure of Sensitive Information to an Unauthorized Actor in Netwrix Privilege Secure Security Advisories security-advisory	36	February 6, 2025
ADV-2021-001 - Vulnerabilities in SteathINTERCEPT Security Advisories security-advisory	15	October 6, 2021
ADV-2023-003 - Sensitive Data Exposure in Netwrix Auditor Security Advisories security-advisory	25	August 8, 2023