Vulnerabilities in Apache Log4j Library affecting ETAS Products

First released: 2021-12-10

Last updated: 2022-04-26

Status: final

Summary

Critical Vulnerabilities in Apache Log4j Java Logging Library

Starting December 9th 2021, a number of vulnerabilities in the Apache Log4j Java logging library were released.

On December 9th 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed:

  • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

On December 14th 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier and including 2.15.0 was disclosed:

  • CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

On December 18th 2021, another vulnerability in the Apache Log4j Java logging library affecting versions 2.16 and earlier was disclosed:

  • CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

On December 28th 2021, another vulnerability in the Apache Log4j Java logging library affecting versions 2.17 and earlier was disclosed:

  • CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

Additionally, further vulnerabilities in Apache Log4j 1.2 were documented (e.g. CVE-2021-4104). 

ETAS's Response to These Vulnerabilities

All ETAS SaaS offerings have been analyzed and updated where applicable. No systems were compromised. This includes Escrypt KMS.Classic, KMS.Cloud and KMS.FOTA. 

Affected Products

SaaS Offerings

All ETAS SaaS offerings have been analyzed and updated where applicable. No systems were compromised. This includes ESCRYPT KMS.Classic, KMS.Cloud and KMS.FOTA.

Vulnerable Products

Product/Service Report Hotfix Fixed Release

Data Acquisition and Processing

ASCMO

ASCMO Report

Described in Report

5.9

EATB

EATB KIR

Update to version specified in KIR

5.3

Development Tools

COSYM HIL
COSYM SIL
Addon COSYM CAR

COSYM KIR

Described in KIR

3.1

EHANDBOOK Container-Build
EHANDBOOK Unified Graphics Generator (UGG)
EHANDBOOK Container-Build Toolbox for Simulink

EHANDBOOK KIR

Update to 9.0 or newer

9.0

Vehicle OS

ISOLAR-A/B, which includes:
- ISOLAR-A
- ISOLAR-A_ECUEXTR
- ISOLAR-A_ADAPTIVE
- ISOLAR-B
- ISOLAR-A_LX
- ISOLAR-A_ADAPTIVE_LX
- ISOLAR-B_LX

ISOLAR KIR

Described in KIR

9.2.1

ISOLAR-EVE

ISOLAR-EVE KIR

Hotfix description

Products Confirmed Not Vulnerable

Update 2022-01-31: All ETAS products not explicitly listed above are confirmed to be not vulnerable in regard to this advisory. This includes:

Data Acquisition and Processing

  • EHOOKS
    • EHOOKS-CAL
    • EHOOKS-BYP
  • INCA
    • INCA-EIP
    • INCA-FLEXRAY
    • INCA-LIN
    • INCA-MCE
    • INCA-MIP
    • INCA-QM-BASIC
    • INCA-TOUCH
    • ODX-LINK
  • INCA-FLOW
  • INCA-RDE
  • INTERCRIO
    • INTECRIO-IP
    • INTECRIO-VP
    • INTECRIO-RP
    • INTECRIO-RLINK
  • MDA
  • MDF-IP
  • XCP-IP

Development Tools

  • ASCET
    • LABCAR-MODEL
    • SCODE

    Vehicle OS

    • RTA
      • RTA-CAR
      • RTA-OS
      • RTA-RTE
      • RTA-BSW
      • RTA-FBL
      • RTA-VRTE
      • RTA-LWHVR
      • RTA-SUM
      • MCAL-IFX