Are you interested in our Early Access Program (EAP)? This program allows you to preview code, test in your lab and provide feedback prior to General Availability (GA) release of all Infoblox products. If so, please click the link here.

NIOS DNS DHCP IPAM

Reply

CVE-2021-44228 (Log4J) vulnerability and NIOS

Member
Posts: 1
2372     0

Hi 

 

Does this vulnerability affect NIOS?

 

Thanks

Gonza

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS

Member
Posts: 1
2372     0

Just got an reply from TAC support that NIOS is not affected by this CVE.

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS

Techie
Posts: 4
2372     0

an official note would be nice...

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS

Techie
Posts: 3
2372     0

yes ! an official note please.  Pending , i'm opening a ticket

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS

Techie
Posts: 6
2372     0

I was also told by TAC "NIOS 8.3.X and above versions are not affected by CVE-2021-44228 as the NIOS Web GUI does not use log4j libraries for logging", but agree an official response on this page would have saved me the TAC case...

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS

Community Manager
Community Manager
Posts: 274
2372     0

We are in the process of creating a KB article and a Cyber campaign brief (CCB) to address the critical vulnerability related to log4j under CVE-2021-44228.

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS

[ Edited ]
Community Manager
Community Manager
Posts: 274
2372     0

Infoblox NIOS and BloxOne products not vulnerable to CVE-2021-44228

Dec 17, 2021Knowledge
 

Summary:

 

Recently, a critical vulnerability related to Log4j was identified under CVE-2021-44228. This vulnerability allows attackers to send and execute code remotely. Additional Log4j vulnerabilities have since been identified: CVE-2021-45046, CVE-2017-5645, CVE-2019-17571, CVE-2020-9488, and CVE-2021-4104.  

 

CVSS:3.0 10.0

 

Overview and Impact:

 

CVE-2021-44228 is the designation for this vulnerability and affects Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features. 

 

Upgrading to version 2.16 is the recommended remediation based on CVE-2021-45046.

 

Confirmed Not Impacted

 

  • NIOS 8.4.x, 8.5.x, 8.6.x
    • Additionally, current FIPS and Common Criteria releases are also not impacted
    • Note that NIOS does not use Data Fabric Search (DFS)
  • BloxOne Products
    • BloxOneDDI
    • BloxOne Threat Defense

 

Affected but mitigated

  • NetMRI.  For more information please see KB 000007559 in the Infoblox Support portal

 

Resolution:

 

No action is required for NIOS or BloxOne products identified above.

 

For NetMRI please see KB 000007559 in the Infoblox Support Portal

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS

Adviser
Posts: 2
2372     0

In addition to the above KB article, here are some additional references:

 

Cyber Campaign Brief 

Official response

 

 

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS

Techie
Posts: 3
2372     0

Thanks Samana

Re: CVE-2021-44228 (Log4J) vulnerability and NIOS

Techie
Posts: 3
2372     0

Has anyone heard about older releases?  The official relase state 8.4 as expected since that is the oldest still supported, but wonderinghow far back that goes... If Log4j is not used for logging in any NIOS, that would be good to know...

 

-Stephen

Showing results for 
Search instead for 
Did you mean: 

Recommended for You