THE INFORMATION IN THIS ARTICLE APPLIES TO:
- All products, all versions
QUESTION
Are Globalscape products affected by the Log4j security vulnerability?
ANSWER
No. None of the products use the version of Log4j that is vulnerable.
Globalscape EFT is largely un-affected by this issue, because it is a native application that doesn’t use Java or log4j.
The DMZ Gateway uses v1.X of log4j, which is not affected by this vulnerability. The vulnerability affects log4j v2.0beta9 to v2.15.
The DMZ Gateway is shipped with an embedded Java Virtual Machine. We have a documented process to update that JVM to a newer version. Newer versions of Java have blocked the ability for remote code execution via a system property, and it is disabled by default.
The only Java based product Globalscape has is the DMZ Gateway.
CVE-2021-44228 Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
DMZ Gateway uses Log4j 1.2.16 which is a version of the library not reported as susceptible to the exploit in the CVE. Some websites have suggested the version DMZ uses could be susceptible as well. Regardless of whether this version is vulnerable, DMZ does not employ the JMS appender class and as such is not vulnerable to this exploit. Also, versions of Java deemed most susceptible to this attack are those older than 8u121; the version of Java deployed with the latest DMZ installer is 8u202.
CVE-2020-9488 Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
DMZ Gateway does not use the SMTP appender.
CVE-2019-17571 Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
The Log4j SocketServer class is not used by DMZ code.
Additionally, the Arcus infrastructure has been analyzed by the lead Arcus engineer and found not to be susceptible to any Log4j exploits. Out of an abundance of caution, the lead DMZ engineer is evaluating an upgrade to Log4j v2.16.0.