Vizrt Product security statement on Log4j vulnerability (CVE-2021-44228)

Vizrt Product Security Advisory

 Publication Date  2021-12-14
 Last update  2021-12-22
 Current version  V1.4

On December 09, 2021, a vulnerability in Apache Log4j (a logging tool used in many Java-based applications), was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE-2021-44228 and is also known as “Log4Shell”. NIST also published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228.

At Vizrt Group, Product security remains our top priority. As we addressed the open-source Apache “Log4j"(CVE-2021-44228) critical vulnerability. Vizrt Product security, together with Product development engineering team, has completed investigating our environment for any “indicators of compromise” and Vizrt Products for traces of log4j 2 vulnerability to determine which products are impacted. Utilizing a risk-based approach, only impacted products are under investigation are listed within the context of the report. All other Vizrt Products are clear of any potential vulnerabilities. 

Impacted Products and Remediation

Viz One: If you are a 7.2 Viz One customer, you will be contacted by Professional Services or you can reach out to your Global Support account and we can apply the patch available.

Viz Mosart: Our R&D team has analyzed all Mosart components. In connection with a 3rd party component from Grass Valley, a connection with Log4J was found. This plugin is only enabled when using Grass Valley K2 servers. We have asked Grass Valley to state whether this component is an issue. All Mosart customers who do not use Grass Valley K2 are not affected by this issue. To confirm, Viz Mosart is free of any vulnerability.

If a product is not listed here, then it has found not to use a version of Log4j that is vulnerable. We will continue to update this page based on the latest information that we have. As is always the case, we strongly recommend that Vizrt products are used on secured networks which ensures that this and future vulnerabilities are very unlikely to impact them in ways that might place an operation at risk. All other Vizrt Products are clear of any potential vulnerabilities.

Cyber defense and security researchers warn that most of the observed activity since the publication of Apache Log4j (CVE-2021-44228) critical vulnerability, are coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.

Remediation advisory

Vizrt strongly encourage customers who manage environments containing Log4j to do the following:

Run a check to determine whether you are using a vulnerable Log4j version

  • On Linux OS, run - find. -type f | grep -i log4j

To mitigate the issue in existing deployments if the Log4j version is >=2.10 do one of:

  • Set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true
  • Launch the Java application/service with -Dlog4j2.formatMsgNoLookups=true
  • Remove the JndiLookup class from the classpath

 

For additional details or assistance, please contact Vizrt support

General security advisory

A good security defense hygiene and measure can help during adversary situation, keeping your business-critical infrastructure safe from compromise. Vizrt Product security strongly recommends to (a)secure network infrastructure and endpoints from unauthorized access, (b)do not exposure your assets to the internet without appropriate security controls. (c)Consider a defense in-depth approach by configuring your controlled and production environment to be aligned with your organizational IT security operational policy.