CVE: CVE-2021-44228

Zyxel is aware of remote code execution (RCE) vulnerabilities in Apache Log4j and confirms that among all its product lines, ONLY NetAtlas Element Management System (EMS) is affected. Users are advised to install the applicable updates for optimal protection.

All other Zyxel products or Software Versions are NOT AFFECTED.

What is vulnerability?

CVE-2021-44228

Apache Log4j <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. If the server uses a vulnerable Log4j to log requests, an attacker who can control log messages or log message parameters can execute arbitrary codes loaded from LDAP servers when message lookup substitution is enabled. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted request to a server running a vulnerable version of Log4j.

CVE-2021-45046

This issue addresses an incomplete fix for CVE-2021-44228 in Apache Log4j version 2.15.0. The flaw could be abused by an attacker to craft malicious input data using a JNDI Lookup pattern resulting in a denial-of-service (DoS) attack.

CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data. This flaw allows a remote attacker to execute arbitrary codes on the server if the deployed application is configured to use JMSAppender.

CVE-2021-45105

The issue affects Apache Log4j versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) that could allow an attacker with control over Thread Context Map data to cause a denial of service (DoS) when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

What versions are vulnerable-and what should you do?

After a thorough investigation, we’ve identified only one vulnerable product that is within its warranty and support period, and we will release a hotfix and a patch to address the issue, as shown in the table below.

Installation Notes for 2.17 Patch for NetAtlas!

1. Stop EMS services.
        # cd /opt/ELEMENTVIEW_MASTER/bin
        # sudo ./emsstop
2. Upload the patch file to server and change to the path you upload the file.
3. Unpack the patch package.
        # tar zxvf log4j2_patch_2.17.0.tar.gz
4. Patch.
        # cd log4j2_patch
        # sudo ./patch.sh
5. Restart EMS services.
        # cd /opt/ELEMENTVIEW_MASTER/bin
        # sudo ./emsstart

Update on Jan. 21, 2022

Recent research suggested that the Mirai botnet is abusing the Log4j vulnerability, which indicated that there were scanners in the wild looking for vulnerable Log4j devices from affected vendors.

As the NetAtlas EMS is typically used by internet service providers to manage central office equipment in isolated networks, the attack surface is relatively small. We urge users to install the applicable updates immediately for optimal protection.

Can my USG FLEX / ATP Series assist to detect log4j attacks?

Yes, our firewall IPS Signature can detect variants of log4j. For the full list, you can check the following webpage: Thread Checking

A few examples of what USG FLEX / ATP Series can help to detect: