The Apache Log4j2 library allows remote code execution.
The Connected Worker Platform (CWP) solution uses Log4j version 2.14.1, which contains the vulnerability that is described in CVE-2021-44228 and CVE-2021-45046. When debug logging is enabled in CT Processor, it is possible that an attacker can control log messages or log message parameters that can trigger execution of malicious code that originates from external LDAP servers.
The issue does not affect any versions of Nymi Enterprise Edition (NEE).
The issue affects the CT Processor component in the Contact Tracing Services in CWP 1.1.x release.
In CWP 1.1, the vulnerability is mitigated by the following factors:
CT Processor does not log external input that may potentially be controlled by an attacker (I.e. Kafka messages) when the log level is higher than DEBUG. The default log level of CT Processor is INFO (which is higher than DEBUG). Therefore, in the default configuration, the CT Processor is not exposed to this vulnerability.
The CWP solution implements access control measures in Kafka, from which the CT Processor retrieves messages to be processed. Only authorized parties with the required credentials can write data to Kafka. CT Processor does not accept any external input that may be crafted by an attacker, except through Kafka.
Typical deployments implement network security measures (for example firewalls) to protect Kafka and the CT Processor, and prevent exposure to the Internet.
If you are using CWP 1.1, upgrade to the CWP 1.2 release as soon as possible.
If you cannot upgrade to CWP 1.2 immediately, perform the following steps to ensure that log level is not set to DEBUG or lower on CT Processor. CT Processor is not exposed to this vulnerability when the log level is higher than DEBUG.
a. On the Kubernetes Client, edit the environment file that is appropriate for your
environment (.prod- env for production, .qa-env for a QA Environment, and .dev-env for a deployment environment).
b. Ensure that all log variables that start with CT_ and end with _LOG_LEVEL are set to INFO or ERROR.
c. Restart the CT Processor.
Information about products not manufactured by Nymi, or independent websites not controlled or tested by Nymi, is provided without recommendation or endorsement. Nymi assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Nymi makes no representations regarding third-party website accuracy or reliability.