Log4J Vulnerabilities - Thales Resolutions (Updated to 20 Dec 2021)
- No Information
- Critical
On December 10, Thales Cloud Protection and Licensing was made aware of a zero-day exploit in the popular Java logging library Log4J, impacting versions 2.14.1 and lower. An attacker who can control log messages or log message parameters to an affected system, has the ability to execute arbitrary code loaded from an attacker controlled internet server. Full details can be found in the public advisory (CVE-2021-44228).
Further to our initial posting, a new advisory (CVE-2021-45046) has been released detailing that in some instances the remediation from CVE-2021-44228 was insufficient. As of December 15, 2021 this bulletin also reflects the status of this CVE as well.
Thales has taken immediate action to investigate the impact of this vulnerability to our products and services.
- CADP/SafeNet Protect App (PA) – JCE
- CipherTrust Batch Data Transformation (BDT) 2.3
- CipherTrust Cloud Key Manager (CCKM) Appliance
- CipherTrust Vaulted Tokenization (CT-V) / SafeNet Tokenization Manager
- CipherTrust/SafeNet PDBCTL
- Crypto Command Center (CCC)
- SafeNet Vaultless Tokenization
- Sentinel LDK EMS (LDK-EMS)
- Sentinel LDKaas (LDK-EMS)
- Sentinel EMS Enterprise aaS
- Sentinel Professional Services components (both Thales hosted & hosted on-premises by customers)
- Sentinel SCL
- Thales Data Platform (TDP)(DDC)
Other Thales products are tested and assumed not to be affected.
Thales CPL has taken action to upgrade systems immediately in accordance with these recommendations and checking logs for signs of compromise. All systems with the above versions have been patched.
Customers using the impacted products on-premises should immediately update the relevant patch according to the Thales official documentation. The Thales official documentation needs to login to the Thales support portal to get it.
The support portal link:
Thales Software Monetization recommends organizations running Apache Log4j take the following actions:
- Check for vulnerable versions of Apache Log4j in your environments and applications.
- Implement latest patch to production environments as soon as possible.
- Monitor for security bulletins.
- Monitor for vendor patches as they become available.
