As documented in a prior blogpost, on December 9, 2021, a zero-day remote code execution (RCE) vulnerability in a popular open-source Java logging library (Apache Log4j 2) was announced in a LunaSec blogpost. The incident response team at Vendavo reacted to the vulnerability on December 10, 2021, by notifying Vendavo Cloud customers of emergency downtime patching and remediation efforts.
Since the announcement of the original vulnerability, which has been documented as CVE-2021-44228, security experts have recently discovered that emergency mitigation steps were not entirely sufficient in blocking all threat vectors. Additionally, a second critical RCE vulnerability in the same Log4j library was identified and documented as CVE-2021-45046.
On December 17, 2021, at approximately 8:45am Pacific Time (16:45 GMT), Vendavo began notifying customers of another emergency downtime necessary to apply appropriate patches. Despite the discovery of additional vulnerabilities this past week, no breach of customer data or personal data was identified.
The most expedient and prudent method of addressing both vulnerabilities, and potentially others unknown at this time, is to simply remove the offending Java class file that enables exploitation. Further details and instructions can be found on the Apache Log4j website.
In accordance with industry recommendations, which have been verified by Vendavo, customers running EPS on-premises should take the following actions from the command line to immediately disable the threat. If EPS is being deployed to an application server, as opposed to using the embedded server, please consult the corresponding vendor for its vulnerability assessment and patching instructions.
- Stop the Vendavo EPS application.
- Navigate to the lib directory, which is located under the root path of the application.
- Run the following command to extract the offending Java class file (JndiLookup.class) from the corresponding JAR file (log4j-core-*.jar). The glob pattern should resolve to the specific version of Log4j bundled with the application.
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- Start the Vendavo EPS application.
The remediation activities conducted over the course of the past week, December 10-17, represent proactive efforts to avert and defend customer systems and data against the immediate threat posed by the Log4Shell RCE vulnerabilities. We continue to monitor all systems as standard procedure and will adjust our incident response if necessary.
The Information Security, Operations, and Engineering groups at Vendavo are aware of the vulnerability and actively conducting an in-depth review of all products and environments.
The following products underwent immediate remediation via configuration changes that effectively disabled the vulnerability, blocking any potential attacks. As of December 17, 2021, all supported major versions of these products have been patched with the latest version of the Log4j library (2.16.0), which disables the vulnerable code by default
- EPS (Profit Analyzer, Price Manager, Deal Manager, Deal Guide, Price Optimization Manager, Business Risk Alerts)
- Pricepoint (Visual Analytics)
The following products are not exposed to the vulnerability since they have no dependency on the afflicted versions of the Log4j library (2.0-beta9 to 2.15.0).
- Intelligent CPQ
- Pricepoint (Price Management, Deal Management)
- Deal Price Guidance & Deal Price Optimizer
- Margin Bridge Analyzer
- Sales Optimizer
- Commercial Analytics