Mindbreeze InSpire is NOT vulnerable to the Apache Log4j2 Remote Code Execution (RCE) (MINDBREEZE21044)

ID: MINDBREEZE21044 
Affected Components: None 
Severity: 6.8 Moderate 
Status: Final 
First published: December 16, 2021 
CVEs: CVE-2021-44228 

Summary

When CVE-2021-44228 was made available we immediately scanned the InSpire Images with our Software Composition Analysis (SCA) tools. There was only one reference to Log4j2 on the Image that was referenced by the Apache JMeter that was used in an optional internal Plugin for query performance testing. We confirmed that even in that internal plugin no vulnerability exists due to the fact that Log4j2 was referenced without any specific configuration. Immediately we completely removed Log4j2 in Mindbreeze InSpire SaaS and provide Mindbreeze InSpire G7 Image Updates. 

Remediation

Even though neither Mindbreeze InSpire SaaS nor Mindbreeze InSpire G7 is vulnerable to the Log4j RCE we updated referenced Log4j2 version to a fixed version w/ 21.2.5.1145 as well as add a default JVM configuration for all third party plugins to prevent Log4j2 from being exploitable. Furthermore starting w/ 21.2.7.1157 we removed the Log4j2. For Mindbreeze InSpire G7 customers we recommend updating to the latest Mindbreeze InSpire Hotfix. 

Hotfix Information

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:

• Mindbreeze InSpire 21.2 Release Hotfix 6 (Version 21.2.7.1157) 

• Mindbreeze InSpire SaaS 21.2 Release Hotfix 6 (Version 21.2.7.1157)