Sidebar

Is QIE vulnerable to the log4j CVE-2021-44228 JNDI vulnerability?

+1 vote
1.3K views
asked Dec 13, 2021 by ben-s-7515 (12,320 points)
We are using QIE and would like to know if it is vulnerable to the log4j CVE-2021-44228 JNDI vulnerability?  This vulnerability is exposed on log4j version >= 2.0-beta9 and <= 2.14.1.  What version of log4j is being used inside of QIE?

1 Answer

+1 vote
 
Best answer

NOTE: On December 15, 2021 Log4j released a new update that fixed a problem that was missed with the December 10, 2021 update.  This alert 'CVE-2021-45046' was fixed in log4j 2.16.0.  QIE updated to this new version of log4j and releeased QIE version 5.0.50.15206 with this fix.

On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. This vulnerability is in Apache Log4j’s Java Naming Directory Interface (JNDI), used in the default configuration of log4j. The vulnerability allows arbitrary code to be loaded and executed from an attacker-controlled LDAP server.

At the time of the NIST notification, QIE versions 5.0.49.14246 - 5.0.50.15157 were using log4j 2.13.1, exposing these versions of QIE to the vulnerability. All releases of QIE prior to 5.0.49.14246 were using an older version of log4j which is not exposed to this vulnerability.

Upon learning of the NIST notification, we immediately began working on a patch to the log4j libraries, upgrading them to the 2.15.0 release of log4j, which was released by Apache specifically to address this vulnerability. The QIE upgrade was completed on the same day, and we entered our testing and validation phase.  As of Wednesday, December 15th, 2021, all tests had passed, and the patch was released - QIE version 5.0.50.15206.

We strongly recommend that all QIE installations be upgraded as soon as possible to mitigate the risk of exposure to this vulnerability. To upgrade your existing environment please execute the following steps:

1) Log into your QIE console and navigate to "System Administration" -> "System Configuration" page

2) Under the "QIE Update Status" field set, select the "Check Now" option

   

Once you select this option you should see a new available build of version 5.0.50.15206 or greater.

3) Click on the 'Download Now" button. This will download the updated version of QIE to your local installation and prepare it for installation. Wait for the download to complete and show up in the "Downloaded" column.

4) Click on "Install Now". This will restart your QIE service with the updated version of QIE. Once this is completed, you will be running the latest version of QIE and will not be exposed to the CVE-2021-44228 log4j JNDI vulnerability.

NOTE: Updating QIE typically takes 2 to 5 minutes to complete, depending on the size of the database. The QIE service will be down during this upgrade process.

If for any reason you are unable to download and install this update, or if you have any concerns with doing this upgrade, please contact Qvera support.

NOTE: If you are running QIE in a containerized environment, such as Kubernetes, you will need to upgrade to the latest version of QIE by updating the image tag in your configuration to "qvera/qie:5.0.50.15206".  If you need assistance with this upgrade, please contact Qvera support.

answered Dec 13, 2021 by ben-s-7515 (12,320 points)
edited Jan 23, 2023 by amanda-w-3695
...