Zero-day-exploit in log4j2

Hi All,

I hope you guys are already aware of the log4j2 security vulnerability that happened over the weekend. I know ElasticSearch is using it heavily but does anyone has any idea if SugarCRM itself using it for any kind of logging? Also, what are the remedies to handle it in SugarCRM?

Kind Regards,

Junaid

Parents

+1 Alex Nassi over 2 years ago
Hi Junaid Usman,

Thanks for checking on this. Our team has been investigating this since the vulnerability was reported and we can confirm that SugarCRM itself does not contain the vulnerable library.

Sugar Cloud instances of Sell, Serve, Enterprise, and Professional are already secured and SugarMarket is unaffected by this vulnerability.

ElasticSearch, which is often used in Sugar on-site deployments, does have the vulnerable library, however, the risk is low. Per the current information from Elastic, ElasticSearch servers are not subject to remote code execution via this vulnerability, and data within the ElasticSearch cluster cannot be accessed. See https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 for more information.

As mentioned by Rodrigo Manara on this thread, On-Site instance administrators should apply the JVM option:

-Dlog4j2.formatMsgNoLookups=true

to their ElasticSearch services and should ensure that any and all other processes that may be subject to the vulnerability are patched, upgraded, or have mitigations applied as needed. We'll be investigating how to update the Supported Platforms to include the ElasticSearch version that is fully patched and does not require a workaround to secure.

Further general information can be found at the following locations:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
https://www.lunasec.io/docs/blog/log4j-zero-day/

Our team will provide more information if anything changes or new information becomes available.

-Alex

(CC: Kit Parenteau Rafael Fernandes Jorge Arroyo)
Cancel
Vote Up +3 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Junaid Usman over 2 years ago in reply to Alex Nassi

Hi Alex Nassi,

Thank you for the response and confirmation. I hope once the ElasticSearch new version with the patch is available, we can use it in SugarCRM sooner than later.

Kind Regards,

Junaid Usman
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Junaid Usman over 2 years ago in reply to Alex Nassi

Hi Alex Nassi,

Thank you for the response and confirmation. I hope once the ElasticSearch new version with the patch is available, we can use it in SugarCRM sooner than later.

Kind Regards,

Junaid Usman
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data