Date: December 28, 2021
Vuln Id/CVE: CVE-2021-42550
CVSS 3.0 Severity: 6.6 (Medium)
Zentera Risk Assessment: Low
Affected Product(s) and Versions:
- zCenter, all releases prior to and including 7.2.1
In versions of logback prior to and including 1.2.7, an attacker with write access to configuration files can craft a malicious XML configuration that triggers execution of malicious code from a malicious server.
As the configuration file is owned by the user ztu, the attacker must either compromise the ztu account or obtain root access on the target product in order to take advantage of this attack.
Risk Assessment and Customer Impact
According to CVSS 3.1 for CVE-2021-42550, attack complexity is high, and requires privileged access to the zCenter/ZOL. Assuming the attacker has such privileged access (ztu or root), there are many more direct ways to compromise the system than leverage such a complex attack.
As a result, Zentera believes the risk and customer impact from CVE-2021-42550 is minimal.
Zentera has updated logback to a version not vulnerable to CVE-2021-42550, which will be released in version 7.3.1 of zCenter. Any patch versions released after 12/28/2021 for earlier releases will also include the updated version of logback.
Given the low risk assessment, Zentera has no plans to release a patch for earlier versions of zCenter.
As always, customers should take steps to secure access to the zCenter privileged accounts, including using source IP locking and using PEM certificates instead of passwords to secure ssh access to the zCenter appliance.
For Further Information
Please contact your Zentera Systems technical or sales representatives for further clarification regarding this or any other security concern.