Apache Log4j Vulnerabilities (CVE-2021-44228) for Nutanix

by Danny Simmons
Senior Systems Engineer

Summary
A critical vulnerability in Apache Log4j2 (CVE-2021-44228) has been publicly disclosed that may allow for remote code execution in impacted Nutanix products.

Description
This issue affects log4j versions between 2.0 and 2.14.1. The exploit requires an attacker to remotely access an endpoint and send arbitrary data logged or otherwise processed by the log4j engine.

The on-prem products potentially impacted by this issue are:

  • AOS (STS) – Addressed in v6.0.2.4
    • Note: A vulnerable version of log4j2 is shipped in AOS v6.x of the product. The code is part of a pre-staged feature that is not enabled and lies dormant However, Nutanix will be stripping this library out in AOS STS version 6.0.2.4 as a precaution
  • AOS (LTS) – 5.15 and 5.20 – Not impacted
  • Prism Central – Patch Pending – Will be addressed in 2021.9.0.3 Release when available. Release Date TBA
  • File Analytics – Patch Pending

The Nutanix solutions under investigation are:

  • Calm
  • Karbon
  • MSP
  • Objects
  • Mine

The Nutanix products not impacted are:

  • AOS (LTS)
  • AHV (All Supported Versions)
  • Flow
  • Files
  • Volumes
  • Era
  • X-Ray
  • LCM
  • Move
  • NCC
  • Foundation

The SaaS-based products potentially impacted by this issue are:

  • Karbon – Patch Pending
  • Leap – Patch Pending
  • Flow Security Control – Patch Pending
  • Calm – Patch Pending
  • Beam – Patch Pending
  • Frame Gov – Patch Pending
  • Insights – Patch Pending

The SaaS-based products that have been patched are:

  • Frame
  • Sizer

Mitigations

  • Web Application Firewall (WAF) filters have been put into place for all Nutanix SaaS-based products. WAF rules provide temporary protection until proper product updates can be made available. These filters are adjusted multiple times per day to account for new and emerging vectors.
  • On-premises products, unless otherwise indicated, have no mitigations that are customer configurable.

Details on the CVE can be found here:

https://download.nutanix.com/alerts/Security_Advisory_0023.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Helient can offer assistance evaluating the risk and remediating these vulnerabilities or reviewing the overall state of security within your Nutanix environment. Please contact our experts at service@helient.com.