Notices and updates about Current CVE's
Please see the release notes at each release of ConsoleWorks for upgrading. More detailed information may be found there.
https://support.tditechnologies.com/product-documentation
This list is for those CVE's' called out by our Customers who are concerned about a particular vulnerability or vulnerabilities
.
Update 05/10/2022 ConsoleWorks Security Notice for OpenSSL CVEs
TDi would like to make all customers aware of the following security CVE’s against OpenSSL.
(CVE-2022-0778) - Given the attack surface for this one is quite small and would only really be vulnerable if the target device's certificate were compromised first, and ConsoleWorks does not consume Client certs, this one is considered by TDI to be Low for ConsoleWorks.
(CVE-2022-1292) - Not vulnerable - ConsoleWorks does not provide or use c_rehash script.
(CVE-2022-1343) - Not vulnerable - ConsoleWorks does not use a non-default OCSP_basic_verify call.
(CVE-2022-1434) - Not vulnerable - ConsoleWorks does not use OpenSSL v3.0
(CVE-2022-1473) - Not vulnerable - OpenSSL 1.1.1 is not affected.
(CVE-2021-4160) - Not vulnerable - ConsoleWorks does not run on MIPS architecture.
We will be including the most current version of OpenSSL 3.0.x when we release ConsoleWorks 5.5-0u0 which is expected this quarter.
As always, Library information for your installation of ConsoleWorks can be viewed within the ConsoleWorks interface on the HELP > About page.
Update 02/21/2022 regarding Expat CVEs
Expat is an open source library used to provide XML import capability to the ConsoleWorks application. Expat 2.4.6 has been released to deliver several bug fixes related to recently published CVE’s.
1. CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 sequences
TDi Assessment: vulnerability in ConsoleWorks
There are exploits with code execution known to exist for this vulnerability.
2. CVE-2022-25236 -- Passing (one or more) namespace separator characters
TDi Assessment: vulnerability in ConsoleWorks
There are exploits with code execution known to exist for this vulnerability.
3. CVE-2022-25313, CVE-2022-25314, CVE-2022-25315
TDi Assessment: ConsoleWorks is not at risk
TDi is currently incorporating version 2.4.6 of Expat into a new release for ConsoleWorks 5.4 and will be making it available to customers very soon. A notification will be sent to all customers once this release is available on the TDi Support site. TDi strongly urges customers to take the necessary steps to limit access to the XML Import feature within ConsoleWorks in their environments until the update is available and can be installed. Access to XML Import capabilities can be controlled through Access Control Rules. Please contact TDi Support if you require assistance with securing your environment.
Library information for your installation of ConsoleWorks can be viewed within the ConsoleWorks interface on the HELP > About page.
For more information about the CVEs mentioned above, please visit the National Vulnerability Database - https://nvd.nist.gov/
Update 02/17/2022 regarding Cassandra
CVE-2021-44521 - Cassandra security issue
ConsoleWorks does not configure Cassandra to enable the user-defined functions described in the above CVE, so this vulnerability does not affect our installation.
Update 2/10/22 ConsoleWorks Security Notice - Log4j Update
Update on Log4j version 1 CVE’s.
As stated before, we are continually monitoring the published issues and vulnerabilities related to Log4j. We have recently become aware of new CVEs related to the usage of Log4j version 1.2.17 in Apache Spark Version 2.3.1 which is installed with ConsoleWorks as part of our CWScriptDatabase feature.
1. CVE-2021-4104: JMSAppender deserialization of untrusted data
2. CVE-2022-23302: JMSSink deserialization of untrusted data
3. CVE-2019-17571: SocketServer class vulnerable to deserialization of untrusted data
4. CVE-2020-9493 and CVE-2022-23307: deserialization issues in Apache Chainsaw
5. CVE-2022-23305: allowing unintended SQL queries to be executed
6. CVE-2020-9488: SMTP appender improper validation of certificate with host mismatch
TDi is currently incorporating log4j 2.17.1 into the CWScriptDatabase for a new release of ConsoleWorks 5.4 to address the above CVEs. This update will not include a new version of Apache Spark which has yet to be released at this time. Until an updated version of Apache Spark can be included into a new release of ConsoleWorks, TDi will be patching the currently included version with the reload4j library. The reload4j project is a fork of Apache log4j version 1.2.17 intended to fix the most pressing security issues.
Until ConsoleWorks 5.4-0u4 is made available and can be installed in your environment, TDi Recommends the following measures for securing your ConsoleWorks server.
Security – While these security vulnerabilities exist within the application TDi recommends that customers shut down the CWScriptDatabase service using the following instructions.
In the ConsoleWorks user interface, under ADMIN: Server Management: CWScript Database, click the Stop Button and de-select the Auto-Start check box. On Windows systems, also open the Windows Services Console and set the Cassandra and Spark services to Disabled.
These steps will not prevent system scanners from finding the Log4j files, but it will make the server safe from the vulnerabilities that exist with them.
Further Security – If desired for further security and to prevent system scanners from flagging the log4j files, you can take the extra steps to remove the CWScriptDatabase, Cassandra, and Spark applications from your ConsoleWorks installation.
This method will allow vulnerability scanners to see your ConsoleWorks server as safe and protect you from bad actors making use of the Log4j security flaws. You will need to follow these steps each time you upgrade ConsoleWorks until we can get the released version of Apache Spark 3.3.0 or greater included with ConsoleWorks. This of course is dependent on the Apache Spark release schedule. We have contacted them to try and move this process along sooner than later.
Instructions for Removal of Software
On all systems do the following first to stop the associated processes:
Go to ADMIN: Server Management: CWScript Database
Click the Stop Button and also de-select the Auto-Start check box, Click Save
Windows:
In Windows Control Panel: Programs and Features: Remove CWScriptDatabase, Spark, then Remove Cassandra.
You will need to repeat this at each ConsoleWorks upgrade until the Log4j issue is resolved in ConsoleWorks
Linux:
The following example output is partial. Yours will be complete
[root@YourServer ~]# yum remove ConsoleWorksCWScriptDatabase.x86_64
....
Installed size: 58 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : ConsoleWorksCWScriptDatabase-1.0-2.x86_64 1/1
Verifying : ConsoleWorksCWScriptDatabase-1.0-2.x86_64 1/1
Removed:
ConsoleWorksCWScriptDatabase.x86_64 0:1.0-2
[root@YourServer ~]# yum remove ConsoleWorksSpark
….
Installed size: 244 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : ConsoleWorksSpark-2.3-1.x86_64 1/1
Verifying : ConsoleWorksSpark-2.3-1.x86_64 1/1
Removed:
ConsoleWorksSpark.x86_64 0:2.3-1
Complete!
[root@ YourServer ~]# yum remove ConsoleWorksCassandra
….
Installed size: 35 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : ConsoleWorksCassandra-3.11-11.x86_64 1/1
Verifying : ConsoleWorksCassandra-3.11-11.x86_64 1/1
Removed:
ConsoleWorksCassandra.x86_64 0:3.11-11
Complete!
You will need to repeat this at each ConsoleWorks upgrade until the Log4j issue is resolved in ConsoleWorks
Update 02/01/2022 regarding Expat CVEs
Expat is an open source library used to provide XML import capability in the
ConsoleWorks application. Expat 2.4.4 has been released to deliver several bug fixes including
two issues related to recently published CVE’s: CVE-2022-23852 and CVE-2022-23990
The updated libraries were released with ConsoleWorks 5.4-0u4
Update 1/5/22
We've learned that the maintainers of Spark are working on migrating Log4j 1to Log4j 2.17.1at this time, which is in line with mitigating the current CVE's against version 2. We hope to see this version of Spark released soon so that we may download it and begin testing with it to make sure it integrates with ConsoleWorks and it's components properly.
We will of course include any notices of updates to ConsoleWorks in our Release notes when it's becomes available.
Please check this Notice for further updates
Original Notice
We have been asked if ConsoleWorks is effected by the LOG4J CVE's: CVE-2021-44228,CVE-2021-44832,CVE-2021-45105,CVE-2021-4104
ConsoleWorks does not directly link, nor make any calls to the Log4j v1.x library that is packaged with another library we do link to, Apache Spark. Any update would have to come from the maintainers of Apache Spark.
The above CVE's are associated with Log4j v2.x and therefore the 1.x version shouldn’t be considered a problem. If the Spark maintainers were to assess a vulnerability, they would issue a new release. We in turn would then need to update ConsoleWorks and include it in our build.
A further question was raised about the possibility of JINDI calls being used in the 1.x version shipped with Spark and TDI Engineering found no JINDI calls in that code.