Tim Lovegrove
Security Analyst
Patch Roundup – December 2021
Welcome to the December Patch Roundup blog, where we cover the latest in patch releases and vulnerability information from Microsoft, Adobe, VMware and the other major vendors.
Anyone working in IT and Information Security will be painfully aware of the big news this month, with the log4j vulnerability dubbed “log4shell” dominating the headlines. We’ll dig into it a bit before rounding up the other usual suspects.
Apache Log4j
Originally an independent open-source project, now owned by the Apache Org, log4j is a free tool that enables detailed logging of Java-based applications. Over the last decade it has been baked into a vast array of products and services and has become ubiquitous across web apps and other application tooling.
A critical vulnerability (CVE-2021-44228, CVSS score 10.0 and dubbed log4shell) was discovered in the tool in late November 2021 with public disclosure and initial updates released on the 9th December to address the bug. By firing a crafted http request to a web server running log4j, an attacker can cause it to exfiltrate data or run commands when the request is captured by the logging component.
Several iterations of the updates have since been released, with version 2.16.0 being the latest and currently recommended version. The vulnerability is still a rapidly changing landscape with vendors updating products and new research turning up further bugs requiring additional patching or re-configuration. For the latest, visit our dedicated site which has all the information on the latest developments:
https://www.softcat.com/apache-vulnerability
Microsoft Patch Tuesday
With all the focus on log4j, Microsoft released a fairly substantial Patch Tuesday of their own, with 88 vulnerabilities fixed across the usual array of products. Due to their recent policy of limiting the information released with updates, some of the major bugs addressed this month are somewhat shrouded in mystery and offer little indication of how the bug could be exploited. The usual maxim of “patch promptly, patch thoroughly” applies.
The biggest hitting bug of the month is CVE-2021-43215, a Remote Code Execution (RCE) bug in iSNS Server. The iSNS tool is used for discovering and managing iSCSI devices on storage networks, and while it isn’t installed or enabled by default it’s a highly critical feature when used, and organisations could be badly affected if an attacker were able to exploit the bug.
CVE-2021-43899, a remote code execution flaw in Microsoft’s 4k Wireless Display Adapter, also scores highly and appears somewhat difficult to fully remediate, requiring a Windows Store app to be installed before updating firmware on the affected device. It’s unclear how the bug could be exploited but would require network proximity to the victim’s machine.
Finally, and once again somewhat lacking in detail, CVE-2021-43905 affects the Office App, available from the Microsoft Store. Another RCE, this time with known proof-of-concept exploit code available, the app will be updated automatically by the Store as long as auto-updating hasn’t been disabled.
Other Updates of Note
Google released an update to Chrome (v 96.0.4664.110) to address a number of bugs, including one being actively exploited in the wild. Adobe patched issues in Photoshop, After Effects, Lightroom and Premier Pro. Cisco have released updates addressing log4j across a wide array of products and are investigating others; check their advisory for full details.