Apache Log4j Vulnerabilities (CVE-2021-44228) for Nutanix
by Danny Simmons
Senior Systems Engineer
A critical vulnerability in Apache Log4j2 (CVE-2021-44228) has been publicly disclosed that may allow for remote code execution in impacted Nutanix products.
This issue affects log4j versions between 2.0 and 2.14.1. The exploit requires an attacker to remotely access an endpoint and send arbitrary data logged or otherwise processed by the log4j engine.
The on-prem products potentially impacted by this issue are:
- AOS (STS) – Addressed in v220.127.116.11
- Note: A vulnerable version of log4j2 is shipped in AOS v6.x of the product. The code is part of a pre-staged feature that is not enabled and lies dormant However, Nutanix will be stripping this library out in AOS STS version 18.104.22.168 as a precaution
- AOS (LTS) – 5.15 and 5.20 – Not impacted
- Prism Central – Patch Pending – Will be addressed in 2021.9.0.3 Release when available. Release Date TBA
- File Analytics – Patch Pending
The Nutanix solutions under investigation are:
The Nutanix products not impacted are:
- AOS (LTS)
- AHV (All Supported Versions)
The SaaS-based products potentially impacted by this issue are:
- Karbon – Patch Pending
- Leap – Patch Pending
- Flow Security Control – Patch Pending
- Calm – Patch Pending
- Beam – Patch Pending
- Frame Gov – Patch Pending
- Insights – Patch Pending
The SaaS-based products that have been patched are:
- Web Application Firewall (WAF) filters have been put into place for all Nutanix SaaS-based products. WAF rules provide temporary protection until proper product updates can be made available. These filters are adjusted multiple times per day to account for new and emerging vectors.
- On-premises products, unless otherwise indicated, have no mitigations that are customer configurable.
Details on the CVE can be found here:
Helient can offer assistance evaluating the risk and remediating these vulnerabilities or reviewing the overall state of security within your Nutanix environment. Please contact our experts at firstname.lastname@example.org.