Log4j

Log4j Vulnerability Status

January 28, 2022


Introduction

Some NEC products and solutions include a version of the logging component "Log4j" which is now known to have severe security vulnerabilities. The vulnerabilities may be mitigated by various actions.

This article lists the known vulnerability status at time of writing and is intended to be useful to NEC partners and customers. It is updated as new information becomes known to NEC.

Background

On December 10, 2021, NIST announced a critical security issue in Log4j, a widely-used software component for logging. The critical vulnerability is sometimes called "log4shell". NIST announced other related vulnerabilities in the following weeks. For more information, see the Log4j - Apache Log4j Security Vulnerabilities page.

The critical vulnerability affects Java software that use Apache Log4j versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0.

Log4j version 2.16.0 fixes this critical issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Log4j version 2.17.1 fixes other medium-level vulnerabilities.

A high-level vulnerability in Log4j version 1.2, CVE-2021-4104, only affects software that use JMSAppender, which is not the default.

Product Matrix


Product
Vulnerability Status
Note

SL1000
SL1100
SL2100
Not Vulnerable
No Log4j

UNIVERGE SV8100
UNIVERGE SV9100
UNIVERGE Aspire X
UNIVERGE Aspire UX
UNIVERGE Aspire WX
Not Vulnerable
No Log4j

UNIVERGE SV8300
UNIVERGE SV9300
Not Vulnerable
No Java

UNIVERGE SV8500
UNIVERGE SV9500
Not Vulnerable
No Java

UNIVERGE 3C Unified Communication Manager (UCM)
Vulnerable
UCM v9.3 and earlier are not vulnerable.
UCM v10.0 (up to P3) and v10.1 (unpatched) include a vulnerable version of Log4j. See the Mitigation Steps section below.

UNIVERGE UC Connector
Not Vulnerable
No Java

UNIVERGE Business ConneCT (BCT)
Not Vulnerable

UC for Enterprise (UCE) Application Platform
Not Vulnerable
UCE OpenFire service has Log4j but not a vulnerable version.

UC for Enterprise (UCE) Attendant
Not Vulnerable
UCE Patient link, Attendant Statistics, and Guest Link services have Log4j but not a vulnerable version.

UC for Enterprise (UCE) Manager (MA4000)
Not Vulnerable

Expense Management
Not Vulnerable

UNIVERGE 3C UC Client
Not Vulnerable

UNIVERGE 3C Mobile Client
Not Vulnerable

UC for Enterprise (UCE) Desktop Client/Agent
Not Vulnerable
No Java

UC for Enterprise (UCE) Mobility
Not Vulnerable
No Log4j

TigerTMS
Not Vulnerable

SLC (uMobility)
Not Vulnerable

UNIVERGE Soft Client SP350
Not Vulnerable
No Log4j

MyCalls
Not Vulnerable

SIP@net server
Not Vulnerable

UNIVERGE IP Phone DT700
UNIVERGE IP Desktop Terminals DT700 Series
UNIVERGE IP Phone DT800
UNIVERGE IP Desktop Terminals DT800 Series
Not Vulnerable
No Log4j

UNIVERGE Digital Phone DT300
UNIVERGE Digital Desktop Terminals DT300 Series
UNIVERGE Digital Phone DT400
UNIVERGE Digital Desktop Terminals DT400 Series
Not Vulnerable
No Log4j

UNIVERGE DT200
Not Vulnerable
No Log4j

AT-15/AT-35/AT-40/AT-45
Not Vulnerable
No Log4j

IP DECT DAP Controller, DMLS, AP400, I766, G266, G566, M166, G277, G577, G577h
Not Vulnerable

Location Gateway
Not Vulnerable

Blueprint
Not Vulnerable

UG50
Not Vulnerable
No Java

MG-SIP, MCMG, VS32
Not Vulnerable
No Java

UNIVERGE UM4730
Not Vulnerable

UNIVERGE UM8700
Not Vulnerable
The UM8700 Neverfail component does use Log4j, but it is an unaffected version. See Neverfail KB article.

UNIVERGE UM8000
Not Vulnerable

UC Suite
Not Vulnerable
No Log4j

InMail
Not Vulnerable
No Log4j

LMS
LMC
Not Vulnerable

NEC Meeting Center
NMC
Not Vulnerable
No Log4j

UCE
Not Vulnerable
No Java

Navigator MIS (Global Navigator)
UC ACD
UC IVR (QueWorX)
Not Vulnerable
Log4j exists in Global Navigator server, but it is version 1.1.3, which is unaffected.

UNIVERGE BX Series
Not Vulnerable

GT210
Not Vulnerable
No Log4j

GT890
Not Vulnerable
No Log4j

UNIVERGE ST500
Not Vulnerable
No Log4j

UNIVERGE Integration Platform
Not Vulnerable
No Log4j

UNIVERGE Hybrid Workspace Management (UHM)
Not Vulnerable
No Log4j

UNIVERGE BLUE CONNECT
Not Vulnerable
No Java

UNIVERGE BLUE CONNECT BRIDGE
Not Vulnerable
No Java

UNIVERGE BLUE ENGAGE
Not Vulnerable
No Java

InApps
Not Vulnerable
No Java

Front Desk Assistant
Not Vulnerable

UNIVERGE BLUE Smart Access
Vulnerable
Log4j is used and it is the vulnerable version. NEC is preparing a mitigation.

Employee Time Clock
Under Investigation

UNIVERGE Smart Guest Check-in (Kiosk)
Not Vulnerable
No Java

Express5800 Fault Tolerant Server (all 300 series)
Not Vulnerable
All of Windows, Linux and Microsoft versions are confirmed.

Express5800 General Purpose Server (all 100 series) Except for R120h-1M/2M
Not Vulnerable

Express5800 General Purpose Server R120h-1M/2M
Under Investigation

ESMPRO/ServerManager, Server Agent
Vulnerable
Log4j is used and it is the vulnerable version. See the Mitigation Steps section below.

Hyper Converged Infrastructure D120H
Under Investigation

Scale Computing HC3 (HCI)
Not Vulnerable

SR250 (HCI - Lenovo)
SR630 (HCI - Lenovo)
SR650 (HCI - Lenovo)
Vulnerable
The command-line tool storman is affected. If you don't use storman, then there is no impact on the SR series.

Leostream (VDI)
Not Vulnerable

M720Q (Edge)
M80Q (Edge)
Not Vulnerable

HYDRAstor
Not Vulnerable
Log4j exists in the HYDRAstor GUI, but it is not an affected version.

M Series Storage
Not Vulnerable

ExpressCluster R3 LAN
ExpressCluster R3 WAN
ExpressCluster R3 SAN
ExpressCluster R4.x
Not Vulnerable

VPCC v6.x
Under Investigation

US120f
US320f
Not Vulnerable

UNIVERGE BLUE Monitor
Under Investigation

3C GT phones
Under Investigation

NeoFace Watch FR
Under Investigation

NOE Virtual Network Dashboard
Vulnerable
Log4j is used and it is the vulnerable version. See the Mitigation Steps section below.

NOE - All modules and functions Except Virtual Network Dashboard
Not Vulnerable

QX switches
Not Vulnerable

Masterscope
Vulnerable
Log4j is used in NFA and it is the vulnerable version. A patch is being prepared for version 2.15. See Mitigation Steps section below.

PFC (ProgrammableFlow Controller)
Vulnerable
PFC release 8.3 and older do not use Log4j and are therefore not vulnerable.

PFC release 8.4 uses Log4j in the optional module SC, which by default is not installed. See the Mitigation Steps section below.

MLC
Not Vulnerable
No log4j

UMobility
Not Vulnerable
No log4j

Mitigation Steps for UNIVERGE 3C

UNIVERGE 3C system versions v10.0 (up to P3) and v10.1 (unpatched) include a vulnerable version of Log4j.
  • For v9.3 and earlier, no action is required. The system is not vulnerable.
  • For v10.0 (up to P3), apply Patch 4 ("P4") to mitigate the vulnerability.
  • For v10.1 (unpatched), apply Patch 1 ("P1") to mitigate the vulnerability.
3C UC Client and 3C Mobile Clients do not include Log4j, and are unaffected.
For further information, see 3C Technical Bulletin TB146 ("UNIVERGE 3C System Level of Exposure to Log4j Vulnerability").

Mitigation Steps for ESMPro

Notes on vulnerability(CVE-2021-44228, CVE-2021-45046) in Apache Log4j Libraries of NEC ESMPRO Manager Ver.6.37-6.56
https://www.58support.nec.co.jp/global/download/esmpro/notes/NEC%20ESMPRO%20Manager%20Update.html [58support.nec.co.jp]

* NEC ESMPRO Manager Ver. 6 Installation Guide (Windows) [PDF]
https://www.58support.nec.co.jp/global/download/esmpro/sg_es_sm_e.pdf [58support.nec.co.jp]

* NEC ESMPRO Agent Extension Installation Guide Ver.2.16 [PDF]
↓ Version update
* NEC ESMPRO Agent Extension Installation Guide Ver.2.24 [PDF]
https://www.58support.nec.co.jp/global/download/esmpro/esm_saex_e.pdf [58support.nec.co.jp]

* NEC ESMPRO Agent Extension
* NEC ESMPRO Agent Extension Ver2.07 (Windows) [ZIP]
↓ Version update
* NEC ESMPRO Agent Extension Ver2.10 (Windows) [ZIP]

* NEC ExpressUpdate Agent Installation Guide [PDF]
https://www.58support.nec.co.jp/global/download/esmpro/eua_im_e.pdf [58support.nec.co.jp]

Mitigation Steps for NOE Virtual Network Dashboard

Step 1: Edit the jvm.options file
In the configuration file /etc/elasticsearch/jvm.options, add the following parameters.
-Dlog4j2.formatMsgNoLookups=true

Step 2: Restart the service
# systemctl restart kibana
# systemctl restart elasticsearch

Mitigation Steps for Masterscope NFA

Step 1: Disable lookup function of Log4j
To follow this step, "zip" command must be installed in your machine

1.1. Stop NFA service
# /etc/init.d/nec-nfa-service stop

1.2. Backup Log4j file to any diretory on your machine. At default, NFA is installed on /opt/nec/nfa.
# cp -a <NFA install directory>/controller/lib/log4j-core-*.jar <backup directory>

1.3. Remove JndiLookup.class, which execute Lookup function, from Log4j file
# zip -q -d <NFA install directory>/controller/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

1.4. Start NFA service
# /etc/init.d/nec-nfa-service start


Step 2: Confirm if Lookup function is disabled
To follow this step, "unzip" command must be installed in your machine

2.1. Copy Log4j file which you have disabled Lookup function to any working directory
# cp -a <NFA install directory>/controller/lib/log4j-core-*.jar <working directory>

2.2. Change to the working directory
# cd <working directory>

2.3. Unzip Log4j file on the working directory
# unzip log4j-core-*.jar

2.4. Confirm JndiLookup.class is not included
# find . -name JndiLookup.class

If JndiLookup.class is included, following message will be displayed
./org/apache/logging/log4j/core/lookup/JndiLookup.class

Mitigation Steps for PFC - SC module

  1. Add -Dlog4j2.formatMsgNoLookups = true to JAVA_OPTS in /opt/nec/sc/tomcat/bin/setenv.sh
  2. Restart SC.