Apache Log4j Vulnerability
Canon Medical Systems Security Advisory
Overview:
It was announced that there are security vulnerabilities in Apache Log4j, a Java-based logging library provided by The Apache Software Foundation. On a server running Apache Log4j, a remote attacker could execute arbitrary code by sending specially crafted data that exploits these vulnerabilities.
Vulnerability Overview:
Log4j has a Lookup function that evaluates some values as variables from the character string described in the log. Among the Lookup functions, by exploiting the JNDI Lookup function, the problem (CWE-20, CVE-2021-44228) was discovered that Java class information is deserialized and executed from the external URL or internal path included in the log. This could allow a remote attacker to log a specially crafted string into the vulnerable system's log, resulting in arbitrary Java code being executed by the system. CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832 were also reported after CVE-2021-44228. All vulnerabilities were fixed in the latest Log4j version (2.17.1).
The Apache Software Foundation has published the following information:
REF: https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
REF: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
-Base CVSS Score :
CVE-2021-44228 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45046 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2021-45105 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2021-44832 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
-Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.17.1
Possible Affected Canon Medical Systems Products:
The following Canon Medical Systems Corporation products are not using Apache Log4j.
- CT Medical Imaging Products
- MR Medical Imaging Products
- UL Medical Imaging Products
- XR Medical Imaging Products
- NM Medical Imaging Products
- Eye-Care Products
- Canon DR Products (CXDI_NE) such as Omnera, FlexPro, Soltus
- VL Infinix-i and Alphenix DFP
- VL Infinix-i Angio Workstation (AWS)
- Vitrea Advanced 7.x
- VL Alphenix Angio Workstation (AWS)
Mitigations for affected systems:
- For VL Alphenix Angio Workstation (AWS), it is confirmed that LDAP port 389 is closed on all AWS versions from 8.0 to 9.3. Since the LDAP communication is closed, Step 1, shown below, of the attack fails therefore there is no impact for the Alphenix Angio Workstation (AWS).
Source: JPCERT Coordination Center
"Observation of Attacks Targeting Apache Log4j2 RCE Vulnerability (CVE-2021-44228)"
https://blogs.jpcert.or.jp/en/2021/12/log4j-cve-2021-44228.html - In order to mitigate the effects of attacks that exploit this vulnerability, please consider reviewing and minimizing the threat vector to limit connections from the system to the network.
- Update firewall configurations to block outbound connections on the LDAP port. Please contact your IT Department to update your firewall configurations. As an example, please see the following industry-recommended mitigation:
https://blogs.cisco.com/security/protecting-against-log4j-with-secure-firewall-secure-ips - For Vitrea Advanced 7.x, please see the following mitigation instructions.
https://www.vitalimages.com/customer-success-support-program/vital-images-software-security-updates/
