Mitel Product Security Advisory 21-0010

Vulnerability in Apache Log4j Libraries Affecting Mitel Products

Advisory ID: 21-0010

Publish Date: 2021-12-13

Last Updated: 2022-11-16

Revision: 16.0

 

Summary

In December 2021, the following vulnerabilities in the Apache Log4j 2.x Java logging library were disclosed:

  • CVE-2021-44228: Apache Log4j 2.x JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints with potential for code execution.

  • CVE-2021-45046: Apache Log4j 2.x Thread Context Message Pattern and Context Lookup Pattern is vulnerable to potential information leak and code execution.

  • CVE-2021-45105: Apache Log4j 2.x is vulnerable to uncontrolled recursion from self-referential lookups, leading to denial-of-service conditions.

  • CVE-2021-44832: Apache Log4j 2.x is vulnerable to code execution when configured to use JDBCAppender or the attacker has write access to the Log4j configuration.

A description of these vulnerabilities can be found on the Apache Log4j 2.x Security Vulnerabilities page.

Additionally, in December 2021 and January 2022, the following vulnerabilities in the Apache Log4j 1.x Java logging library were disclosed:

  • CVE-2021-4104: Apache Log4j 1.x is vulnerable to deserialization of untrusted data when configured to use JMSAppender or the attacker has write access to the Log4j configuration with potential for remote code execution.

  • CVE-2022-23302: Apache Log4j 1.x is vulnerable to deserialization of untrusted data when configured to use JMSSink to perform JNDI requests or when the attacker has write access to the Log4j configuration with potential for remote code execution.

  • CVE-2022-23305: Apache Log4j 1.x when configured to use JDBCAppender is vulnerable to malicious crafted SQL strings allowing unintended SQL queries to be executed.

  • CVE-2022-23307: Apache Log4j 1.x is vulnerable to deserialization of the contents of certain log entries when the chainsaw component is run with potential for code execution.

A description of these vulnerabilities can be found on the Apache Log4j 1.2 Security Vulnerabilities page. Based on the available information, these vulnerabilities in Log4j 1.x may only be exploited if the vulnerable component is configured for use, and/or the attacker has sufficient privileges to start the service or change the configuration on the host. These vulnerabilities require a more complex attack vector, resulting in lower severity of these vulnerabilities relative to the log4j 2.x JNDI exposure.

 

Affected Products

Mitel is investigating its products to determine which products may be affected by these vulnerabilities. Mitel will update this advisory as the details become available.

This is an ongoing investigation, as such be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available.

Vulnerable Products

The following products have been determined to be affected by one or more of these vulnerabilities. This section will be updated as Mitel’s investigation continues.



Product Assessments

The following table provides the status of Mitel products which may be affected by the vulnerabilities listed in the Summary section above.

Mitel is investigating these products to determine if they are affected by log4j 1.x vulnerabilities. The products listed here with status investigating have been confirmed NOT to be affected by the listed log4j 2.x vulnerabilities.

This section will be updated as Mitel’s investigation continues.

 

Risk Assessment

The risk for CVE-2021-44228 vulnerability is rated as Critical. The additional vulnerabilities are rated as high to moderate. Refer to the product Security Bulletins for additional statements regarding risk.

 

Mitigation / Recommended Action

N/A

 

External References

These vulnerabilities were publicly disclosed by the Apache Log4j Security Vulnerabilities announcements.

 

Related CVEs / CWEs / Advisories

CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 CVE-2021-44832 CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307

 

Revision History

Version Date Description
1.0 2021-12-13 Initial Version
2.0 2021-12-14 Updated product assessments
3.0 2021-12-14 Updated product assessments
4.0 2021-12-15 Updated product assessments
5.0 2021-12-15 Updated product assessments
6.0 2021-12-16 Updated product assessments
7.0 2021-12-17 Updated product assessments
8.0 2021-12-20 Updated product assessments
9.0 2021-12-21 Updated product bulletin for MiVB EX
10.0 2021-12-22 Added product bulletins for MiContact Center Nuance Speech Suite and related Nuance products; added product bulletin for MiCollab Advanced messaging XM FAX; updated bulletins for Mitel Interaction Recording, MiCollab, and MiVB EX, updated product assessments
11.0 2021-12-24 Updated bulletin and additional info for MiCollab
12.0 2022-01-31 Updated bulletin for Open Integration Gateway (OIG)
13.0 2022-02-23 Added product bulletin for Virtual Reception; updated product assessment status for log4j 1.x vulnerabilities
14.0 2022-03-22 Updated product assessments; added bulletin updates for log4j 1.x vulnerabilities
15.0 2022-06-08 Updated product assessments and bulletins for log4j 1.x vulnerabilities
 16.0 2022-11-16 Updated product assessments and bulletins for log4j 1.x vulnerabilities
Prêt à parler aux ventes ? Contactez-nous.