Log4j critical vulnerability: CVE-2021-44228

Hi there, we are currently evaluating the impact on Insights and will communicate as soon as we know.

7 Likes

What version of Insights is affected?

A bit more information

A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE).

Affected versions:
Log4j versions 2.x prior to and including 2.14.1

1 Like

Hi. Do you mean 21.4.1?

No, this isn’t specific to UiPath or their product. This is Log4j v2.14.1 and lower is affected. It was patched in 2.15.0

You’ll need to receive communication from UiPath on how a fix will be applied and whether they recommend an upgrade to Insights or manually upgrading Log4j. Each enterprise will need to make the determination on the urgency to fix the vulnerability and may opt to manually patch it if UiPath hasn’t communicated anything yet.

If you have not received direct communication from UiPath, I would suggest opening a ticket with support directly and/or reaching out to your CSM.

1 Like

I reached out to our CSM and received the following communication for the time being.

The UiPath Security and Product Engineering teams are completing the exposure analysis of the Log4J vulnerability, categorized as CVE-2021-44228 and taking mitigation actions. At this time, UiPath has found no evidence of risk associated with this vulnerability for the following products:

  • Studio (all types), Assistant, Robot (all types including AI Robots, Cloud Robots, etc.)
  • Orchestrator
  • Automation Hub (including Task Capture)
  • Data Services
  • Task Mining
  • Process Mining
  • Test Manager
  • Automation Ops
  • Action Center
  • Apps
  • AI Center
  • HAA
  • All UiPath Activity Packages published to the UiPath Official Feed
  • Automation Cloud supporting services not accessible by customers

The following products are still under investigation by UiPath:

  • Insights
  • Automation Suite supporting services

Customers using Elastic Search which is commonly leveraged alongside UiPath products should be aware that Elastic has announced that that versions 6.x and 7.x are mitigated, however customers should follow Elastic announcements via their blog.

6 Likes

FYI another vulnerability for log4j was discovered CVE-2021-45046. It’s been addressed in the 2.16.0 as the original fix in 2.15.0 for CVE-2021-44228 was incomplete.

@Michelle_Yurovsky / @Forum_Staff - Can you Speak to this when UiPath has something further to communicate?

We have just posted an update! For all versions of Insights below 2021.10, please see Products Security | UiPath. We have mitigation steps posted at Products Security | UiPath. We appreciate the patience while we investigated and worked to confirm impact and mitigation. We understand that many of you have been waiting for this announcement.

5 Likes

Thanks @Michelle_Yurovsky !

Will a separate posting be made for CVE-2021-45046 or will that be updating on the same page as it mentions investigation is still on-going?

The same page there will be updated with any further announcements!

3 Likes

Does the 21.4.1 insights hotfix work on version 21.4.0 (on prem)

Hi @Anders_Sinding_Hadrup,

Welcome to the Community !

Yes, 21.4.1 Insights HotFix from GitHub is intended for use with Insights 21.4.0 (on-prem).

Hope that helps !

Thanks & Regards,
Nithin

3 Likes

Hi @codemonkee ,

As per the details I have received from UiPath Support, with the latest patch they released as part of the mitigation steps we have now moved to Log4j Version 2.16.0 which was released by Log4j as a mitigation for CVE-2021-45046. So with the latest patch in place we should be protected from both CVE-2021-44228 & CVE-2021-45046.

Snip from the POM.xml in the Patch Provided by UiPath:

Regards,
Nithin

2 Likes

@Michelle_Yurovsky , are you looking into CVE-2021-45105 regarding insights and other products?

Hi Nithin,

Can we use Insights 19.10.7 hotfix for the insights version 20.4.1, please suggest

No, these are two different major.minor branches. You need the patch intended for your version. If one has not been released for 20.4 consider upgrading to 20.10, 21.x, etc. If unsure reach out to your Support or CSM.

Please see the links above in the thread, which contains recommendations for versions lower than 21.10.

3 Likes

The Security Advisor page linked about was updated to include this CVE.

2 Likes

Since there is a new CVE (CVE-2021-44832 - Remote Code Execution - CVSS Score 6.6) I was hoping the Security Advisor page would be updated, but it isn’t. Is Insights affected by this CVE too? Are the solutions mentioned on the page enough, or are additional actions neccessary?

The patch from Apache addressing CVE-2021-44832 in 2.17.1 was released a week ago. It doesn’t appear UiPath has provided another patch for Insights based on their latest release notes.

I would suggest reaching out to your Support / CSM, or reporting a security issue to see if they are actively working on another patch and/or bring it to their attention.

Hey there, here’s the update from our security team:

This latest Apache update is non-critical. The impact appears to be just a DoS and is safe to update as part of our normal cycle, not necessary as a hotfix. Existing Insights updates do not need a further fix.

1 Like