Log4j Vulnerability Status

December 22, 2021


Introduction

Some NEC products and solutions include a version of the logging component "log4j" which is now known to have severe security vulnerabilities. The vulnerabilities may be mitigated by various actions.

This article lists the known vulnerability status at time of writing and is intended to be useful to NEC partners and customers. It is updated as new information becomes known to NEC.

Background

On December 10, 2021, NIST announced a critical security issue in log4j, a widely-used software component for logging. For more information, see the NIST detail entries:
CVE-2021-44228, CVE-2021-45046

The vulnerability affects Apache Log4j versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. The vulnerability is sometimes called "log4shell".

Log4j version 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

This document does not address non-critical vulnerabilities in log4j, such as CVE-2021-4104. If found in NEC products, their status and mitigation will be published separately.

Product Matrix


Product
Vulnerability Status
Note

SL1000
SL1100
SL2100
Not Vulnerable

UNIVERGE SV8100
UNIVERGE SV9100
UNIVERGE Aspire X
UNIVERGE Aspire UX
UNIVERGE Aspire WX
Not Vulnerable

UNIVERGE SV8300
UNIVERGE SV9300
Not Vulnerable

UNIVERGE SV8500
UNIVERGE SV9500
Not Vulnerable

UNIVERGE 3C Unified Communication Manager (UCM)
Vulnerable
UCM v9.3 and earlier are not vulnerable.
UCM v10.0 (up to P3) and v10.1 (unpatched) include a vulnerable version of log4j. See the Mitigation Steps section below.

UNIVERGE UC Connector
Not Vulnerable

UNIVERGE Business ConneCT (BCT)
Not Vulnerable

UC for Enterprise (UCE) Application Platform
Not Vulnerable
UCE OpenFire service has log4j but not a vulnerable version.

UC for Enterprise (UCE) Attendant
Not Vulnerable
UCE Patient link, Attendant Statistics, and Guest Link services have log4j but not a vulnerable version.

UC for Enterprise (UCE) Manager (MA4000)
Not Vulnerable

Expense Management
Not Vulnerable

UNIVERGE 3C UC Client
Not Vulnerable

UNIVERGE 3C Mobile Client
Not Vulnerable

UC for Enterprise (UCE) Desktop Client/Agent
Not Vulnerable

UC for Enterprise (UCE) Mobility
Not Vulnerable

TigerTMS
Not Vulnerable

SLC (uMobility)
Not Vulnerable

UNIVERGE Soft Client SP350
Not Vulnerable

MyCalls
Not Vulnerable

Not Vulnerable

UNIVERGE IP Phone DT700
UNIVERGE IP Desktop Terminals DT700 Series
UNIVERGE IP Phone DT800
UNIVERGE IP Desktop Terminals DT800 Series
Not Vulnerable

UNIVERGE Digital Phone DT300
UNIVERGE Digital Desktop Terminals DT300 Series
UNIVERGE Digital Phone DT400
UNIVERGE Digital Desktop Terminals DT400 Series
Not Vulnerable

UNIVERGE DT200
Not Vulnerable

AT-15/AT-35/AT-40/AT-45
Not Vulnerable

IP DECT DAP Controller, DMLS, AP400, I766, G266, G566, M166, G277, G577, G577h
Not Vulnerable

Location Gateway
Not Vulnerable

Blueprint
Not Vulnerable

UG50
Not Vulnerable

MG-SIP, MCMG, VS32
Not Vulnerable

UNIVERGE UM4730
Not Vulnerable

UNIVERGE UM8700
Not Vulnerable
The UM8700 Neverfail component does use log4j, but it is an unaffected version. See Neverfail KB article.

UNIVERGE UM8000
Not Vulnerable

UC Suite
Not Vulnerable

InMail
Not Vulnerable

LMS
LMC
Not Vulnerable

NEC Meeting Center
NMC
Not Vulnerable

UCE
Not Vulnerable

Navigator MIS (Global Navigator)
UC ACD
UC IVR (QueWorX)
Not Vulnerable
log4j exists in Global Navigator server, but it is not an affected version.

UNIVERGE BX Series
Not Vulnerable

GT210
Not Vulnerable

GT890
Not Vulnerable

UNIVERGE ST500
Not Vulnerable

UNIVERGE Integration Platform
Not Vulnerable

UNIVERGE Hybrid Workspace Management (UHM)
Not Vulnerable

UNIVERGE BLUE CONNECT
Not Vulnerable

UNIVERGE BLUE CONNECT BRIDGE
Not Vulnerable

UNIVERGE BLUE ENGAGE
Not Vulnerable

InApps
Not Vulnerable

Front Desk Assistant
Not Vulnerable

UNIVERGE BLUE Smart Access
Vulnerable
log4j is used and it is the vulnerable version. NEC is preparing a mitigation.

Employee Time Clock
Under Investigation

UNIVERGE Smart Guest Check-in (Kiosk)
Not Vulnerable

Express5800 Fault Tolerant Server (all 300 series)
Not Vulnerable

Express5800 General Purpose Server (all 100 series) except for R120h-1M/2M
Not Vulnerable

Express5800 General Purpose Server R120h-1M/2M
Under Investigation

ESMPRO/ServerManager, Server Agent
Vulnerable
log4j is used and it is the vulnerable version. NEC will soon publish a mitigation.

Hyper Converged Infrastructure D120H
Under Investigation

Scale Computing HC3 (HCI)
Not Vulnerable

SR250 (HCI - Lenovo)
SR630 (HCI - Lenovo)
SR650 (HCI - Lenovo)
Vulnerable
The command-line tool storman is affected. If you don't use storman, then there is no impact on the SR series.

Leostream (VDI)
Not Vulnerable

M720Q (Edge)
M80Q (Edge)
Not Vulnerable

HYDRAstor
Not Vulnerable
log4j exists in the HYDRAstor GUI, but it is not an affected version.

M Series Storage
Not Vulnerable

ExpressCluster R3 LAN
ExpressCluster R3 WAN
ExpressCluster R3 SAN
ExpressCluster R4.x
Not Vulnerable

VPCC v6.x
Under Investigation

US120f
US320f
Not Vulnerable

UNIVERGE BLUE Monitor
Under Investigation

3C GT phones
Under Investigation

NeoFace Watch FR
Under Investigation

NOE - UC-SDN
Vulnerable
log4j is used and it is the vulnerable version. See the Mitigation Steps section below.

QX switches
Not Vulnerable

MLC
Not Vulnerable

UMobility
Not Vulnerable

Mitigation Steps for UNIVERGE 3C

UNIVERGE 3C system versions v10.0 (up to P3) and v10.1 (unpatched) include a vulnerable version of Log4j.
  • For v9.3 and earlier, no action is required. The system is not vulnerable.
  • For v10.0 (up to P3), apply Patch 4 ("P4") to mitigate the vulnerability.
  • For v10.1 (unpatched), apply Patch 1 ("P1") to mitigate the vulnerability.
3C UC Client and 3C Mobile Clients do not include Log4j, and are unaffected.
For further information, see 3C Technical Bulletin TB146 ("UNIVERGE 3C System Level of Exposure to Log4j Vulnerability").

Mitigation Steps for NOE - UC-SDN

For NEO - UC-SDN, log4j is used by two functions:
  • nwdoc (documentation)
  • ems (ucsdn-SV9500)
If the application does not require those components we can temporary turn them off:

Step 1: Check Processes Using Log4j

Execute following command to check for processes that use log4j:

ps -ef | grep log4j

Example output of the command when processes are using log4j:

oe-elas+ 1140 1 42 04:48 ? 00:00:09 /opt/nec/oe/nwdoc/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms1g -Xmx1g -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/elasticsearch-5434253224797553227 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=logs/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Des.transport.cname_in_publish_address=true -XX:MaxDirectMemorySize=536870912 -Des.path.home=/opt/nec/oe/nwdoc/elasticsearch -Des.path.conf=/opt/nec/oe/nwdoc/elasticsearch/config -Des.distribution.flavor=oss -Des.distribution.type=tar -Des.bundled_jdk=true -cp /opt/nec/oe/nwdoc/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -p /var/run/oe-elasticsearch/oe_elasticsearch.pid --quiet
root 1247 1 1 04:48 ? 00:00:00 /usr/java/jdk8/bin/java -cp ./log4j-1.2.16.jar:./emsMain.jar:./OaiLink.jar:./emsData.jar ems.EMSMain ./cfg/ems.cfg ./conditions/bootfile
root 3420 3284 0 04:49 pts/0 00:00:00 grep --color=auto log4j

Step 2: Disable log4j services

Turn off and disable services to prevent them from starting in the case that NOE is rebooted, by running the following commands:

systemctl stop oe-kibana
systemctl stop oe-elasticsearch
systemctl stop oailinkd
systemctl stop emsd
/opt/nec/ems/emsd stop

systemctl disable oe-kibana
systemctl disable oe-elasticsearch
systemctl disable oailinkd

#Note ems cannot do systemctl disable, we have to move the file out of the /etc/rc.d/init.d/ to a secure place. Later one we can put it back mv /etc/rc.d/init.d/emsd /root

Step 3: Confirm log4j is Stopped

Repeat step 1 and verify the list of processes to confirm that log4j is stopped.

ps -ef | grep log4j

Expected output is just one item:

root 8295 3284 0 05:01 pts/0 00:00:00 grep --color=auto log4j