Forum Discussion

  • 2 minutes ago, Stuart Weenig said:

    The following message should have been presented to administrators logging in after Saturday:

     

    Thanks @Stuart Weenig.  Is there is a more public facing notice?  As an enterprise out customers are asking us if we are exposed and we need to demonstrate we are not by including links to statements from our vendors.

  • Anonymous's avatar
    Anonymous

    The following message should have been presented to administrators logging in after Saturday:

    Quote

    On Dec 9th, 2021, various cybersecurity organizations began reporting that a critical-severity vulnerability has been discovered in an application logging component known as “log4j” which is widely used in Java-based applications. 

    LogicMonitor has evaluated our exposure to the Log4Shell vulnerability and determined that the LM SaaS platform is not affected. We are aware that some versions of the LM Collector include a defective version of log4j, but its architecture has been purposely designed to mitigate such vulnerabilities. However, out of an abundance of caution, we have developed a mitigation strategy for this vulnerability that will definitively prevent exposure. 

    At this time the Log4Shell mitigation has already been released to the LM platform and each Collector will have automatically updated its configuration file to incorporate the fix on Saturday, Dec 11th. Because each Collector restarts itself on a daily cadence, the updated configuration will automatically take effect on all Collectors no later than Sunday, Dec 12th.

    No updates to the Collector software are required to enable the Log4Shell mitigation and no manual intervention is required.

    Please reach out to LogicMonitor Technical Support or your Customer Success Manager if you have any questions or concerns.

     

  • Anonymous's avatar
    Anonymous

    I don't think there's one yet, but it wouldn't surprise me if a blog post came out today. I'll inquire.

  • Anonymous's avatar
    Anonymous

    I'm told that public communications will be posted on our support website later this week.

  • @Stuart WeenigThanks.

    Although the 2.15 can mitigate, for complete mitigation version 2.16.0 should be used, as this version completely removes the feature.  Ideally the class "jndilookup.class" should be removed altogether.

    https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0

    "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability."

  • Anonymous's avatar
    Anonymous

    I believe Log4j was included but not actively used. As I understand it, the next version of collector which should be pushed out soon will not even have log4j present.