NetBrain uses an affected version of the log4j2 library in two components of the solution, the Task Engine running on Windows and ElasticSearch, a third-party component that runs on Linux. This announcement describes upgrade procedures for all affected versions of NetBrain Integrated Edition.
For the Windows-based Task Engine service, it is not clear how or if a remote malicious agent can exploit this vulnerability on NetBrain Integrated Edition (NBIE) via the logging interface due to how the system manages logs and the limited components of the system that use log4j2.
For Elasticsearch, the ES team has stated that the product is not susceptible to remote code execution with this vulnerability due to the use of the Java Security Manager.
Given the nature and severity of the reported vulnerabilities covered in CVE-2021-44228, CVE-2021-45045, and CVE-2021-45105, in an abundance of caution, NetBrain is providing the procedures to upgrade the affected library to the currently known fully remediated version (log4j2 version 2.17.0)
Affected NBIE Versions:
- Integrated Edition 7.0b, 7.0b1
- All 7.1x versions up to and including 7.1a2
- All 8.0.x versions up to and including 8.0.3
- All 10.x versions up to and including 10.0a
Unaffected Versions Information:
All Versions of NetBrain Integrated Edition Software Prior to Integrated Edition 7.0b.
What You Need To Do
Our Security Team has completed evaluation of CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 and have posted their security advisory that describes the impacted components in the NetBrain Integrated Edition platform along with the necessary remediation steps in the NetBrain Customer Portal.