THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

NIOS DNS DHCP IPAM

Reply

CVE-2021-44228 (Log4J) vulnerability and NIOS
DaGonz
New Member
Posts: 1

‎12-11-2021 02:18 AM

7414     2

Hi 

 

Does this vulnerability affect NIOS?

 

Thanks

Gonza

Reply

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS
harishzone
New Member
Posts: 1

‎12-13-2021 01:56 AM

7414     2

Just got an reply from TAC support that NIOS is not affected by this CVE.

Reply

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS
peikertm
New Member
Posts: 4

‎12-13-2021 06:30 AM

7414     2

an official note would be nice...

Reply

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS
Laurent
New Member
Posts: 4

‎12-13-2021 08:06 AM

7414     2

yes ! an official note please.  Pending , i'm opening a ticket

Reply

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS
eatyourself
New Member
Posts: 6

‎12-13-2021 08:45 AM

7414     2

I was also told by TAC "NIOS 8.3.X and above versions are not affected by CVE-2021-44228 as the NIOS Web GUI does not use log4j libraries for logging", but agree an official response on this page would have saved me the TAC case...

Reply

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS
samanna
Adviser
Posts: 321

‎12-13-2021 11:02 AM

7415     2

We are in the process of creating a KB article and a Cyber campaign brief (CCB) to address the critical vulnerability related to log4j under CVE-2021-44228.

Reply

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS

[ Edited ]
samanna
Adviser
Posts: 321

‎12-13-2021 11:20 AM - edited ‎12-17-2021 02:41 PM

7415     2

Infoblox NIOS and BloxOne products not vulnerable to CVE-2021-44228

Dec 17, 2021Knowledge
 

Summary:

 

Recently, a critical vulnerability related to Log4j was identified under CVE-2021-44228. This vulnerability allows attackers to send and execute code remotely. Additional Log4j vulnerabilities have since been identified: CVE-2021-45046, CVE-2017-5645, CVE-2019-17571, CVE-2020-9488, and CVE-2021-4104.  

 

CVSS:3.0 10.0

 

Overview and Impact:

 

CVE-2021-44228 is the designation for this vulnerability and affects Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features. 

 

Upgrading to version 2.16 is the recommended remediation based on CVE-2021-45046.

 

Confirmed Not Impacted

 

  • NIOS 8.4.x, 8.5.x, 8.6.x
    • Additionally, current FIPS and Common Criteria releases are also not impacted
    • Note that NIOS does not use Data Fabric Search (DFS)
  • BloxOne Products
    • BloxOneDDI
    • BloxOne Threat Defense

 

Affected but mitigated

  • NetMRI.  For more information please see KB 000007559 in the Infoblox Support portal

 

Resolution:

 

No action is required for NIOS or BloxOne products identified above.

 

For NetMRI please see KB 000007559 in the Infoblox Support Portal

Reply

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS
jchik
Adviser
Posts: 2

‎12-13-2021 05:33 PM

7415     2

In addition to the above KB article, here are some additional references:

 

Cyber Campaign Brief 

Official response

 

 

Reply

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS
Laurent
New Member
Posts: 4

‎12-14-2021 02:42 AM

7415     2

Thanks Samana

Reply

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS
rswinter
New Member
Posts: 3

‎12-14-2021 10:49 AM

7415     2

Has anyone heard about older releases?  The official relase state 8.4 as expected since that is the oldest still supported, but wonderinghow far back that goes... If Log4j is not used for logging in any NIOS, that would be good to know...

 

-Stephen

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements