SecureAuth is aware of the Log4j vulnerability announced on December 9th. Information about a critical unauthenticated RCE vulnerability (CVE-2021-44228) that affects Java logging package log4j was tweeted, and a proof-of-concept (PoC) were posted on GitHub. This vulnerability could allow attackers full control of the affected server if a user-controlled string is logged. Since it is so easily exploited, the impact of this vulnerability is severe. The vulnerability is already being actively exploited in the wild.
While some SecureAuth products do utilize Apache Log4j in some components, the following are not using the vulnerable class directly within the products.
- SecureAuth Identity Platform version 9.x through 21.08
- Login for Endpoints
- Android and iOS SecureAuth Authenticator
- Adaptive Authentication
The one remaining module that is potentially affected is the SecureAuth Radius Server. In some instances, it could be compromised with the proof-of-concept that was released.
Our Engineering department has resolved the issue with the latest version of the Radius Server, which can be downloaded here. For upgrade instructions, refer to this doc.
(**Refer to NOTES section below for updates regarding Log4j vulnerability and additional information regarding common upgrade issues**)
In addition to upgrading the version of Radius, you may also consider implementing firewall rules to restrict the radius server to only communicate with known trusted destinations. We also recommend sending the radius logs to a centralized logging solution that can scan for the indicators of compromise.
If you have questions or require assistance upgrading your Radius Server, please contact SecureAuth Support through our portal (support.secureauth.com).
Bil Harmer CISSP, CISM, CIPP
CISO & Chief Evangelist | SecureAuth
secureauth.com | 650.303.9638
Update: A new vulnerability in Apache Log4j version 2.15.x and previous (https://nvd.nist.gov/vuln/detail/CVE-2021-45046) was published on December 14, 2021. The fix SecureAuth released on December 14, 2021 remediates this new vulnerability as well.
Known Upgrade Issue: SecureAuth RADIUS server v20.12 sometimes has issues when importing config files that were exported from RADIUS server v20.03 or 20.06 with a shared secret configured for a RADIUS client. (No issues exist if RADIUS server v20.03 or 20.06 was configured with a general shared secret set on the RADIUS Server Settings page.)
WORKAROUND: Set the shared secret for each v20.12 RADIUS client again.