Chat with us
Loader
Establishing connection, please wait while we connect you.

COMING SOON: Product-Focused Search and Guided Navigation for improved access to product support. Thank you for your feedback and stay tuned!

Apache Log4j 2 Vulnerability (CVE-2021-44228) Information / [CVE-2021-45046 (Dec 14, 2021)]

Zebra Technologies is actively following the security vulnerability in the open-source Apache “Log4j 2" utility (CVE-2021-44228). We are currently assessing the potential impact of the vulnerability for Zebra products and solutions. This is an ongoing event, and we will continue to provide updates through our customer communications channels. Our support page will be updated to include relevant information as it becomes available.

Background: The Apache Log4j utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.14.1 or below to be compromised and allow an attacker to execute arbitrary code.

On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.

CVE-2021-45046 (Dec 14, 2021)

Description:  It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

What should I do to protect myself?

We strongly encourage customers to consult with their SW vendors and obtain patches and update as soon as possible for all impacted SW applications

For internally developed servers or applications we strongly encourage customers who manage environments containing Log4j 2 to update to version Log4j 2.15.0 or later per Apache's guidance https://logging.apache.org/log4j/2.x/

Support Pages For Impacted Products:

Affected ProductCVE-2021-44228 (Apache Log4j 2)DateCVE-2021-45046Date
Visibility IQ (VIQF)Limited exposure to this vulnerability; remediation completeRemediated
Dec 12th, 2021
Not affectedN/A
SOTI MobiControl v 14.3 to 15.4.1 – Hosted EnvironmentsLimited exposure to this vulnerability.  Engineering is actively working to resolveRemediated
Dec 22nd, 2021
Limited exposure to this vulnerability.  Engineering is actively working to resolveRemediated
Dec 22nd, 2021
PTT Pro Windows/Desktop (G1, G2)Upon continued assessment of vulnerability the following Workforce Connect (WFC) products have been determined to not be impacted by this vulnerabilityN/AUpon continued assessment of vulnerability the following Workforce Connect (WFC) products have been determined to not be impacted by this vulnerabilityN/A
Zebra Enterprise MessagingAfter investigation; using version not impacted by this vulnerability.Remediated
Dec 15, 2021
Not affected N/A
FetchLimited exposure to this vulnerability. Engineering mitigated issueRemediated
Dec 12th, 2021

Limited exposure to this vulnerability.  Engineering is actively working to resolveUpon continued assessment of the vulnerability, this product have been determined to not be impacted.
ReflexisFull exposure to this vulnerability; Engineering is actively working to resolveRemediated Dec 29th, 2021Full exposure to this vulnerability; Engineering is actively working to resolve
Remediated Jan 7th, 2022
Visibility Server Software (ZLS)After investigation; using version not impacted by this vulnerability.Remediated
Dec 14, 2021
After investigation; using version not impacted by this vulnerability. N/A
MotionWorks Enterprise (ZLS)Remediated vulnerability by setting -Dlog4j2.formatMsgNoLookups=true when starting JVMRemediated
Dec 14, 2021
Low Risk - The components use log4j will only receive requests when the user is authenticated. They do not log arbitrary user inputs. Remediated
Dec 19, 2021
Zebra Profitect (ZPA)Limited exposure to this vulnerability. Engineering as removed IntelliJ and Log4J to remediateRemediated
Dec 10th, 2021
Not affected N/A
Printer Profile Manager Enterprise (PPME)

Not impacted by this vulnerability.

Version 3.2.7563 and later removes and/or updates files and components related to Log4j.

Visit the support page.

Updated Feb 8th, 2021

Not impacted by this vulnerability. 

Version 3.2.7563 and later removes and/or updates files and components related to Log4j.

Visit the support page.

Updated Feb 8th, 2021

Disclaimer: Zebra makes every attempt to release security updates on or about the time that Google releases its respective security bulletin. However, delivery time of security updates may vary depending on the region, product model, and third party software suppliers. Under some circumstances, the OS must be updated to the latest maintenance release prior to installing the security updates. Individual product updates will provide specific guidance.

Unless otherwise noted, there have been no reports of active customer exploitation or abuse from these newly reported issues.



Are you aware of a potential security issue with a Zebra Technologies product?