Accessibility Skip to content

Vulnerability in Apache Log4j Affecting Poly Systems

Vulnerability Summary

A critical remote command execution (RCE) vulnerability in Apache Log4j (CVE-2021-44228) was publicly disclosed on December 9th, 2021. Apache has released a patch for vulnerable versions.

Upon notice of the vulnerability, Poly's incident response process was initiated and we have been conducting a thorough investigation to determine which, if any Poly products and services might be subject to this vulnerability.

This effort is a top priority for Poly and we will continue to update this advisory as more information becomes available.

As this is an ongoing investigation, please note that information related to any product or service may be subject to change.

Any product not listed below is still under investigation to determine whether they are affected by this vulnerability.

Published

Last Update: 2/23/2022
Initial Public Release: 12/13/2021
Advisory ID:  PLYGN21-08

CVE ID: CVE-2021-44228
CVSS Score: 10.0
CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CVE-2021-44228: Apache Log4j 
Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Source: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

 

CVE-2021-45046: Apache Log4j

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Source: https://nvd.nist.gov/vuln/detail/CVE-2021-45046

 

CVE-2021-45105: Apache Log4j

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Source: https://nvd.nist.gov/vuln/detail/CVE-2021-45105

 

CVE-2021-44832: Apache Log4j

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Source: https://nvd.nist.gov/vuln/detail/CVE-2021-44832

 

CVE-2022-23307

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Source: https://nvd.nist.gov/vuln/detail/CVE-2022-23307

Product Status

The following have been identified as affected product or service and includes the dates and versions of which we are currently aware (subject to change as investigation continues). If no date or version is currently listed for an affected product or service, we will update this bulletin when our evaluation is complete, and the information is available.

PRODUCT FIX AVAILABILITY
Poly Clariti Core/Edge (a.k.a. DMA/CCE) - 9.0 and above

14-Dec-2021 - Manual configuration change available. Please contact Poly Support.

CCE (a.k.a. DMA) 10.1.0.2 released

Poly Clariti Relay version 1.x Clariti Relay 1.0.2 – released
Poly RealConnect for Microsoft Teams and Skype for Business Mitigations Complete
Cloud Relay (OTD and RealConnect hybrid use case) Mitigations Complete
Plantronics Manager Mitigations Complete
Plantronics Manager Pro Mitigations Complete
Products Identified as Not Vulnerable
PERIPHERALS SOFTWARE AND SERVICES VIDEO CONFERENCING PHONES AND SPEAKERPHONES
EagleEye Director II Poly Clariti Manager (RealPresence Resource Manager / RPRM) ATX300 VVX 150/250/350/450
EagleEye IV Poly RealPresence Collaboration Server (RPCS/RMX) CX7000/CX8000 VVX 150/250/350/450 Obi Software
EagleEye Mini Poly Clariti App Poly G7500 VVX 101/201/300/310/301/311
VVX 400/410/401/411/500/501/600/601
EagleEye Cube Poly Content Connect Poly X30/X50/X70 CX5100/CX5500
Poly Studio E70 Poly RealPresence Desktop Poly G10-T/G40-T/G85-T Poly Rove DECT
Poly Studio Poly RealPresence Mobile Polycom RealPresence Group Series Family SoundStation
Poly P5 Poly Workflow Server Polycom RealPresence Immersive Studio SoundStation IP
Poly P15 Poly Workflow Lite Polycom HDX Family SoundPoint IP
Poly P21 RealPresence Distributed Media Application (DMA 6.x and below) Polycom Pano VoiceStation
Poly TC8 Poly Lens Poly OTX100/OTX300 Obi 300/302/312/504/508
EagleEye Producer PDMS-SP Poly OTX Studio VVX D230
RealPresence Touch PDMS-E Polycom Companion App Poly Edge B10/B20/B30
Eagle Eye IV USB Cloud-OTD Polycom Content App CCX 400/500/600/700
Poly IP Mic RealPresence Access Director (RPAD) Trio C60  
Poly IP Mic Adapter Zero Touch Provisioning Service (ZTP) Trio 8500/Trio 8800  
Poly IP Ceiling Microphone Polycom RealAccess Trio 8300  
  RealPresence Web Suite (RPWS) Trio VisualPro  
HEADSETS Plantronics Hub Desktop (Windows) Visual+  
Wireless and Wired Headsets Plantronics Hub Desktop (Mac) G200  
  Plantronics Hub Mobile (iOS) RealPresence Centro  
  Plantronics Hub Mobile (Android) RealPresence Debut  
  BToE for VVX Polycom ISDN Gateway  
  Plantronics Status Indicator Companion Polycom VBP 7301  
  PC Audio Connector    
Solution

Poly recommends customers upgrade to appropriate software version or later as established in the product table.

 

Implement Alternative Controls for Products/Services until Patches are Available for Deployment

It is recommended to implement strong network security practices and monitor network connections for any unauthorized connections. In addition, monitoring logs for indications of exploitation is encouraged as well. Ensure that any alerts from a vulnerable product or service are actioned immediately. Report incidents promptly to law enforcement and to Poly as provided below.

Contact

Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support(888) 248-4143, (916) 928-7561, or visit the Poly Support Site.

 

Revision History
Version Date Description Status
1.51 02/23/2022 Updated product status: Added CVE-2022-23307 Interim
1.50 01/07/2022 Updated product status: Added CVE-2021-44832 Interim
1.49 12/24/2021 Updated product status and patch availability Interim
1.48 12/22/2021 Updated product status Interim
1.48 12/21/2021 Updated product status Interim
1.47 12/20/2021 Updated product status Interim
1.46 12/18/2021 Updated product status: Added CVE-2021-45105 Interim
1.45 12/17/2021 Updated product status Interim
1.44 12/17/2021 Updated product and services status Interim
1.43 12/16/2021 Updated product status Interim
1.42 12/16/2021 Modified Last update time format Interim
1.41 12/16/2021 Updated product status, Vulnerability Summary.
Added update revision to top of document: Updated CVE-2021-44228
Detail: Added CVE-2021-45046
Interim
1.4 12/15/2021 Updated product status, Vulnerability Summary and Alternative Controls sections Interim
1.3 12/15/2021 Updated product status and added products not included in prior releases Interim
1.2 12/14/2021 Updated status and added products Interim
1.1 12/14/2021 Updated status and added products Interim
1.0 12/13/2021 Initial Public Release Interim

©2022 Plantronics, Inc. All rights reserved.

Trademarks
Poly, the propeller design, and the Poly logo are trademarks of Plantronics, Inc.  All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Poly.

Disclaimer
While Poly uses reasonable efforts to include accurate and up-to-date information in this document, Poly makes no warranties or representations as to its accuracy. Poly assumes no liability or responsibility for any typographical errors, out of date information, or any errors or omissions in the content of this document. Poly reserves the right to change or update this document at any time. Individuals are solely responsible for verifying that they have and are using the most recent Technical Bulletin. 

Limitation of Liability
Poly and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Poly and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive, or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Poly has been advised of the possibility of such damages.