Security Advisory Announcements

Date	What	Description
19 Dec 2021	Apache Log4j 2.17.0	Apache has released version 2.17.0 of the patch for Log4j after discovering issues with their previous release (2.16.0)
16 Dec 2021	Apache Log4j 2.16.0	Since publishing the 10Dec21 advisory, Kudos has learned a second vulnerability involving Apache Log4j was found on Tuesday, December 14th 2021.
10 Dec 2021	Apache Log4j	Patch release to close the vulnerability of Kudos Travel Technology to the Apache Log4j vulnerability CVE-2021-44228 'log4shell'. This vulnerability may be referred to as Log4Shell by some vendors.

19 DECEMBER 2021

Apache Log4j 2.17.0

Apache has released version 2.17.0 of the patch for Log4j after discovering issues with their previous release (2.16.0).

Apache version 2.16 did not always protect from uncontrolled recursion from self-referential lookups and it is vulnerable to CVE-2021-45105, a denial of service vulnerability.

Only the Log4j-core JAR file is impacted by CVE-2021-45105.

No action is required from Kudos customers as recommended updates have automatically been applied to our Travel Platform and associated services.

Apache explained: “When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

Mitigations include applying the 2.17.0 patch and replacing Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) in PatternLayout in the logging configuration. Apache also suggested removing references to Context Lookups in the configuration like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.”

16 DECEMBER 2021

Apache Log4j 2.16.0

A second vulnerability involving Apache Log4j was found on Tuesday, December 14th 2021 after cybersecurity experts spent considerable time attempting to patch or mitigate CVE-2021-44228.

The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was "incomplete in certain non-default configurations."

"This could allow attackers... to craft malicious input data using a JNDI (Java Naming and Directory Interface) Lookup pattern resulting in a denial of service (DOS) attack," the CVE description says.

Apache released a patch, Log4j 2.16.0 for this issue.

The CVE says Log4j 2.16.0 fixes the problem by removing support for message lookup patterns and disabling JNDI functionality by default. It notes that the issue can be mitigated in prior releases by removing the JndiLookup class from the classpath.

While not relevant to Kudos, the Log4j 2.16.0 patch has been deployed to mitigate any potential risk as well as any possible ongoing developments related to the initial CVE-2021-44228 vulnerability.

What does CVE mean?

CVE stands for Common Vulnerabilities and Exposures. The Mitre Corporation maintains the CVE system and the list of entries - each containing an identification number, a description, and at least one public reference - for publicly known cybersecurity vulnerabilities. When a CVE is found and identified, a software company releases a patch so users can download it and repair the vulnerability.

10 DECEMBER 2021

Apache Log4j

Kudos Travel Technology (Kudos) is no longer vulnerable to this attack.

Kudos was affected by CVE-2021-44228 before December 10th, 2021. The severity level of this issue was critical because it could have been used to remotely execute code (RCE) using the permissions of the application.

No action is required from Kudos customers as recommended updates have automatically been applied to our Travel Platform and associated services.

What is this vulnerability?

A Remote Code Execution (RCE) vulnerability was discovered in the popular Java logging library, Log4j. This industry-wide security vulnerability allows for an unauthenticated adversary to execute code on systems that have this library deployed, by providing specifically crafted content. This is a serious vulnerability that affects many software products and online services.

How did this vulnerability affect Kudos?

Kudos utilises Apache Log4j in its products. This vulnerability was revealed on Thursday, December 9, 2021, and was actively monitored.

In response, we activated our incident response process and immediately investigated the use of Log4j across Kudos products. As a result:

We identified and triaged all Log4j deployments in all our products, and implemented the vendor-provided update or recommended mitigations to high-risk systems. We are continuing to apply the security update on lower-risk systems at this time.
We are working with our sub-processors and critical vendors to ensure they remediate any vulnerabilities in their environments that we may rely on.

We are continuing to monitor this issue and will determine whether additional action is required.

Where can I find more information?

Additional information on this vulnerability can be found here:

Apache Software Foundation: Apache Log4j Security Vulnerabilities
National Vulnerability Database: CVE-2021-44228