Log4j: as it relates both outside and inside of the Infor SunSystems realm.
You know an identified security vulnerability is a real concern when it’s not only publicised on IT news sites but also mainstream news sites like CNN.
To elaborate and provide back story to this article, and the wider issue, Log4j is coded in Java and is open-source software created by Apache Software Foundation’s developers to run across three platforms: macOS, Windows, and Linux. The open-source software allows users to create a built-in “log” or record of activity to troubleshoot issues or even track data within their programs. The open-source and free nature of this software is the reason why it was used as the “logging library” across the globe, leading to the attack.
Even the true Apple Mac lovers and true techies that continuously boast how safe it is using Macs and Linux and stress that they need not worry about security vulnerabilities and viruses were caught off guard. Many products from big name technology vendors like Cisco, IBM, VMWare, and Microsoft owned Minecraft have all been impacted by the Log4j vulnerability.
Infor, likewise, had product suites impacted, including specific versions of SunSystems. Ironically in this exceptional circumstance it was the later versions of SunSystems 6.3 patch 21 and greater and SunSystems 6.4 that were impacted as it was these versions of SunSystems that started using the Log4j versions impacted by the identified vulnerability rather than the older versions.
This link outlines the Log4j file versions and different security vulnerabilities identified, with the main security vulnerability concern being the Remote Code Execution with a severity rating of ‘critical’ and concern rating of the highest value 10.
Professional Advantage promptly contacted all clients on the affected versions of SunSystems and advised and assisted them by installing a quickly released emergency patch from Infor to address the main critical Remote Code Execution vulnerability. This updated the Log4j file used by SunSystems to version 2.15. During the 2021-2022 Christmas Break, Infor released the latest patch set levels for SunSystems 6.3 being patchset 49 and SunSystem 6.4 being patchset 28, both of which install the Log4j version2.17. Applying the later patchsets released does involve having to remove the emergency patch set if already applied.
So, what are some of the main general lessons learnt from the Log4j situation?
- To successfully exploit the Log4j vulnerability, the attacker must be able to instruct the vulnerable host to download Java classes from a host they control. That means they need to be able to establish an LDAP connection to the system where the classes are hosted, usually on the Internet. Proper tight network security with tight firewall rules would mitigate the risk. It is important to ensure that a proper technical planning session is performed for all new implementations and upgrades of SunSystems. All on-premises SunSystems implementations are hosted internally only and not internet facing. There may be a genuine need to open an outbound LDAP connection on an internet facing server for interfacing reasons to another system, but even then, the firewall rules should only allow the connection to the specific, authorised endpoint required by that application for interfacing.
- Traceability and understanding which software may use other software components as building blocks is important. Often applications can use different building block applications like Apache java. SunSystems version 6 is such an application. Commonly, rather than having a proactive approach knowing what components make up an application, it’s only when a critical security vulnerability is raised that actions are then taken to utilise systems to track software inventory and identify and understand the components and versions that are used by applications and whether they are impacted.
- As mentioned, this Log4j security vulnerability did not impact the older versions of SunSystems, so clients with older versions of SunSystems can count their blessings. However, not keeping up to date and staying on the latest versions of operating systems and applications can expose many more vulnerabilities. Clients that are on the later SunSystems versions still have a more secure, Microsoft supported operating system with updates, and a more robust secure application tech stack for SunSystems that can utilise non-standard SQL ports, SQL Always on features, encryption, and https certificates. Being on the latest SunSystems versions provides ease of mind that the system environment is proactively being updated and kept secure by Microsoft updates and also that the application versioning allows agile dynamic patching to be undertaken as required to mitigate security vulnerabilities.
- Explaining to children that they cannot play with their Minecraft Server due to a Security vulnerability until a fix patch is applied can be a more daunting task than explaining the importance to clients to take the necessary steps to patch up or close security vulnerabilities in systems, even if systems are not internet facing.
If you were affected by the Log4j security vulnerability and have questions, feel free to reach out to us at Professional Advantage.