Would like to know if there is any update regarding the log4j vulnerability in UiPath products Orchestrator, Insights, AI center, action center.
We have found log4j files in Insights, so please suggest if there are any configurations or updates released to fix this.
A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE).
Affected versions:
Log4j versions 2.x prior to and including 2.14.1
No, this isn’t specific to UiPath or their product. This is Log4j v2.14.1 and lower is affected. It was patched in 2.15.0
You’ll need to receive communication from UiPath on how a fix will be applied and whether they recommend an upgrade to Insights or manually upgrading Log4j. Each enterprise will need to make the determination on the urgency to fix the vulnerability and may opt to manually patch it if UiPath hasn’t communicated anything yet.
If you have not received direct communication from UiPath, I would suggest opening a ticket with support directly and/or reaching out to your CSM.
I reached out to our CSM and received the following communication for the time being.
The UiPath Security and Product Engineering teams are completing the exposure analysis of the Log4J vulnerability, categorized as CVE-2021-44228 and taking mitigation actions. At this time, UiPath has found no evidence of risk associated with this vulnerability for the following products:
Studio (all types), Assistant, Robot (all types including AI Robots, Cloud Robots, etc.)
Orchestrator
Automation Hub (including Task Capture)
Data Services
Task Mining
Process Mining
Test Manager
Automation Ops
Action Center
Apps
AI Center
HAA
All UiPath Activity Packages published to the UiPath Official Feed
Automation Cloud supporting services not accessible by customers
The following products are still under investigation by UiPath:
Insights
Automation Suite supporting services
Customers using Elastic Search which is commonly leveraged alongside UiPath products should be aware that Elastic has announced that that versions 6.x and 7.x are mitigated, however customers should follow Elastic announcements via their blog.
FYI another vulnerability for log4j was discovered CVE-2021-45046. It’s been addressed in the 2.16.0 as the original fix in 2.15.0 for CVE-2021-44228 was incomplete.
We have just posted an update! For all versions of Insights below 2021.10, please see UiPath Security Advisory CVE | UiPath. We have mitigation steps posted at UiPath Security Advisory CVE | UiPath. We appreciate the patience while we investigated and worked to confirm impact and mitigation. We understand that many of you have been waiting for this announcement.
As per the details I have received from UiPath Support, with the latest patch they released as part of the mitigation steps we have now moved to Log4j Version 2.16.0 which was released by Log4j as a mitigation for CVE-2021-45046. So with the latest patch in place we should be protected from both CVE-2021-44228 & CVE-2021-45046.
Snip from the POM.xml in the Patch Provided by UiPath:
No, these are two different major.minor branches. You need the patch intended for your version. If one has not been released for 20.4 consider upgrading to 20.10, 21.x, etc. If unsure reach out to your Support or CSM.
Please see the links above in the thread, which contains recommendations for versions lower than 21.10.