Search

Varnish Administration Console Log4j2 CVE-2021-44228 and CVE-2021-45046 Security

Published December 13, 2021.

Updated December 15, 2021.

Overview

Two vulnerabilities have been discovered in the logging library Log4j2 which is used by Varnish Administration Console. These are identified as CVE-2021-44228 and CVE-2021-45046. Note that no other products from Varnish Software are affected by the same CVEs.

An earlier version of this advisory indicated that a sufficient workaround for affected versions of Varnish Administration Console is to set the log4j2.formatMsgNoLookups=true parameter. As security researches have continued to explore the potential in the vulnerabilities, it is clear that this workaround is not sufficient.

Impact

Varnish Administration Console installations that are exposed to the Internet are of risk. An attacker can send a crafted message to Varnish Administraion Console, and gain access to execute arbitrary code via the log4j2 library.

Status

Affected software versions

  • Varnish Administration Console all version up to and including 3.9.0-2.

Resolved In

  • Varnish Administration Console 3.9.1

Solution

The solution is to upgrade Varnish Administration Console to version 3.9.1, and then ensure that Varnish Administration Console is restarted. The restart is done using:

$ sudo systemctl restart vac

Workaround

If upgrading to Varnish Administration Console 3.9.1 is not possible, a workaround is to replace the offending files in /opt/vac/lib/. Delete the files log4j-api-2.13.3.jar and log4j-core-2.13.3.jar (versions may differ) and replace them with the corresponding files from apache-log4j-2.16.0-bin.tar.gz (SHA256 d4a5135c761abdc50690d0d4f17759228761f7296361dd14df130913c215879c). These files are log4j-1.2-api-2.16.0.jar and log4j-core-2.16.0.jar. This needs to be done for the log4j files in the /opt/vac/lib/vac.war archive also.

This is the recommended workaround for all versions of Varnish Administration Console if an upgrade to version 3.9.1 is not possible.

Timeline

2021-12-10

  • Public advisory for CVE-2021-44228 published.

2021-12-13

  • Varnish Administration Console 3.9.0-2 released with a workaround to mitigate CVE-2021-44228.
  • This advisory was initially published.

2021-12-14

  • Public advisory for CVE-2021-45046 published.

2021-12-15

  • Varnish Administration Console 3.9.1 released with updated Log4j2, mitigating both vulnerabilities.
  • This advisory was updated accordingly.

References