CVE 2021-44228 & CVE 2021-45046 – Apache Log4j

This announcement will be kept up to date as the results of any new analysis emerge.

Last update: 22 April 2022 – 14:16 GMT

Version 1.4 of the Data Gateways engine has been released. This version uses Logstash 6.8.23 to for improved security, addressing the vulnerabilities in the Log4J component that is used in Java applications.

Last update: 15 December 2021 – 15:35 GMT

On the evening of December 10th, Blue Prism was alerted to a critical Remote Code Execution vulnerability (CVE-2021-44228) within the Apache Log4j component (more information from Oracle and Apache). Since the initial investigation a further CVE has been raised (CVE-2021-45046). We can confirm that the information shown below will provide full interim protection for both issues, mitigating the threats until a final solution is available. As this is a popular third-party component that is used in technology solutions, we understand that customers may be concerned about how this impacts the Blue Prism suite of RPA products.

Initial investigation from our Product Security team has determined that for the Blue Prism Enterprise and Cloud products, we have no software dependency on Apache Log4j in our First Party code.

Customers who have installed and are using the Data Gateways should be aware that it utilizes third-party binaries that use Logstash which in turn uses the Apache Log4j component. Please see below for details and mitigations.

The key information contained within the security bulletin that relates to the vulnerable versions of Logstash are given below.

Affected Versions of Logstash and Log4j

Logstash versions 5.0.0+ up to 7.16.0 contain a vulnerable version of Log4j.

Logstash versions 6.8.x and 7.x up to 7.15.2, when configured to run on JDKs below version 8u191 and 11.0.1, allow for remote loading of Java classes.

Blue Prism Impact

Blue Prism Core Product

  • Uses Log4j: No
  • Impact: None
  • Further details for Blue Prism Core: The Blue Prism Java integration is not impacted by this vulnerability as Apache Log4j is not used.

Hub Platform and Plugins

  • Components: Interact, ALM, Web Based Control Room, Decision
  • Uses Log4j: No
  • Impact: None

Data Gateways

  • Uses Log4j: Yes
  • Details: Versions in use by Data Gateways by default are not affected by the more severe remote code execution exploit. This is due to the supplied JDK’s default security controls preventing the loading of remote resources (see below for further details). Whilst unlikely, there is still the possibility of lesser attacks such as Denial of Service being capable using java classes that already exist on the user's machine.

  • Mitigation: Removal of the JndiLookup class from the log4j2 core jar mitigates both identified vulnerabilities. See the follow KB article for details of how to do this: http://portal.blueprism.com/customer-support/support-center#/path/1774729012/How-to-mitigate-the-Apache-Log4j-vulnerability-for-Data-Gateways.htm

    We also plan to release an updated version of Data Gateways utilising the latest Logstash version once the ongoing investigations into Log4j are concluded and this is released from Logstash.

  • Further details for Data Gateways:

    • The JVM installed with Data Gateways is JDK version 8u202.This is a later version of the Java Development Kit than the one specified in the Oracle security bulletin (JDK version 8u191).

    • As Blue Prism uses Java versions greater than 8u121 in Data Gateways, this protects against the JNDI vulnerability by setting the properties "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false." These default settings prevent remote class loading via JNDI object factories stored in naming and directory services.

    • Previous mitigations for CVE 2021-44228 involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate CVE 2021-45046. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath, as per our advice above.

Service Assist

  • Uses Log4j: No
  • Impact: None

Capture

  • Uses Log4j: No
  • Impact: None

Decipher IDP

  • Uses Log4j: No
  • Impact: None

Further information

This is an important issue for us to monitor and we will provide additional updates as we learn more. It is important that customers who are using the vulnerable versions of Apache Log4j and JDK follow Apache and Oracle’s guidance on mitigating the issue. If the impacted versions of Apache Log4j and Oracle JDK are being used in any environment alongside the Blue Prism Data Gateways feature, we advise customers work with their IT and Security teams to take appropriate action as outlined by Apache.

If there are any follow up questions, please submit a support ticket or update your support ticket relating to this issue and we’ll assist in any way possible. We understand this is extremely important for customers and Blue Prism is staying on top of the developing situation.