Security Notice – Statement About Apache Log4j2 Vulnerabilities

Huawei has noticed that since December 9, the Apache official website has disclosed the Apache Log4j2 remote code execution vulnerability CVE-2021-44228, followed by the CVE-2021-45046 and CVE-2021-45105 vulnerabilities.

These vulnerabilities can be remotely exploited. To prevent these vulnerabilities, you are advised to immediately deploy protection mechanisms, such as firewall, on devices directly exposed to the Internet. If you have deployed Huawei Next-Generation Firewall (NGFW) or data center firewall products, you can upgrade the IPS signature database to the latest version (IPS_H20011000_2021122200) released on December 22, 2021 to detect and defend against network-layer attacks.

Huawei is in an ongoing investigation. This SN is released based on Huawei's current investigation results and is subject to changes. Huawei PSIRT will update this SN as new information emerges, Please stay tuned.

For products that have released software updates to fix these vulnerabilities, Huawei will release and update the Security Advisory (SA) at: https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20211215-01-log4j-en

Common Questions:

1.What are the impacts of the three Log4j2 vulnerabilities?

December 9: In some Apache Log4j2 versions, the JNDI function may be abused due to insufficient JNDI protection. (CVE ID: CVE-2021-44228)

December 14: This vulnerability could bypass the fix to the CVE-2021-44228 vulnerability. As a result, the JNDI function may still be abused in some special configurations. (CVE ID: CVE-2021-45046)

December 18: Some Apache Log4j2 versions did not protect from uncontrolled recursion from self-referential lookups. (CVE ID: CVE-2021-45105)

For description of these vulnerabilities, see the Apache Log4j2 Security Vulnerabilities page at https://logging.apache.org/log4j/2.x/security.html.

2. Which Huawei products are affected by these vulnerabilities?

Huawei uses common standards in the industry, assess the severity of vulnerabilities to reflect the real impact of the vulnerabilities, based on the methods and scenarios of integrating third-party software into Huawei products. Up to now, scenarios where Huawei products directly use the Log4j2 software have been assessed.

As a piece of underlying open-source software, Log4j2 is used by a large number of other open-source software (such as Apache Solr and Apache Flink) and Huawei's suppliers. We are actively communicating and cooperating with the community and suppliers to further assess the potential impact on Huawei products.

In the entire vulnerability handling process, Huawei shall strictly control the scope of vulnerability information and transfer the information only between necessary personnel who handle the vulnerabilities. In line with the principle of reducing harm and risks, carrier customers can contact the Carrier TAC, enterprise customers can contact the Enterprise TAC and partners can log in to the Support-E website to query the impact details.

3. How will Huawei support you in vulnerability mitigation?

Huawei's top priority is to provide patches/versions as soon as possible to fix these vulnerabilities, and preferentiality upgrade to Apache Log4j 2.17.0 to completely fix the vulnerabilities. So far, almost all affected Huawei products provided with patching plans or have been patched, and most of the products have provided temporary mitigation measures to minimize the impact. For the patch plans and mitigation measures, carrier customers can contact the Carrier TAC, enterprise customers can contact the Enterprise TAC and partners can log in to the Support-E website to query the details.

In addition, Huawei recommends that you take appropriate security protection measures based on risk assessment to mitigate the impact of vulnerabilities.For assets directly exposed to the Internet, you are advised to immediately deploy protection mechanisms (such as firewall, WAF, and RASP) and promptly take mitigation measures for corresponding products to reduce the impact of the vulnerabilities. Finally,you need to install the patches/versions to completely fix the vulnerabilities. For intranet assets, we suggest that you assess the risks based on the asset importance, threat information, and severity, and preferentially deploy protection mechanisms (such as RASP) and product mitigation measures. After the patches/versions are released, you should install them.

If you have deployed Huawei Next-Generation Firewall (NGFW) or data center firewall products, you can upgrade the IPS signature database to the latest version (IPS_H20011000_2021122200) released on December 22, 2021 to detect and defend against network-layer attacks. If you are tenant on Cloud, Huawei has provided security protection cloud services, such as vulnerability detection and blocking. To further help tenants mitigate risks, Huawei allows its enants to enjoy the one-month free use of the WAF protection service to help them secure their applications and win more time for vulnerability fixing.

4. Will Huawei provide support for EOS products?

Huawei is dedicated to providing patches or version updates for non-EOS products and will not provide information about EOS versions in security bulletins.

5. Has Huawei detected vulnerability exploits?

Huawei PSIRT is aware that the industry has disclosed the exploit code of the Apache Log4j2 vulnerabilities. We recommend that carrier customers contact the Carrier TAC, enterprise customers contact the Enterprise TAC and partners log in to the Support-E website to obtain mitigation suggestions.

Huawei has deployed security protection mechanisms, such as firewall, WAF, and RASP, on its own IT network immediately to protect the system and network. So far, Huawei has not detected any successful attempt to exploit these vulnerabilities on Huawei networks.

6. Are Huawei Cloud services affected?

Huawei Cloud services have immediately deployed security protection mechanisms such as WAF to protect systems and networks. Currently, all attack attempts are blocked, and the cloud services are running properly.

For tenants on Cloud, Huawei has promptly released the vulnerability notification and provided security protection cloud services, such as vulnerability detection and blocking. To further help cloud tenants mitigate risks, Huawei allows its cloud tenants to enjoy the one-month free use of the WAF protection service to help them secure their applications and win more time for vulnerability fixing.