SailPoint SaaS Services Response to log4j Remote Code Execution Vulnerability

IMPORTANT: Please see the latest announcement here.

SailPoint has fully mitigated the Log4J RCE vulnerability (CVE-2021-44228) in all impacted products.

We are aware of the recently-identified Log4J DoS vulnerability (CVE-2021-45046) that is also applicable to the impacted products. While this new DoS vulnerability has a low severity (CVSS score of 3.7 per NVD), we are actively working on addressing this vulnerability by upgrading to Log4J 2.16.0 and expect product releases that include the updated library to be available in the coming days.

We will be issuing further communications once this issue has been addressed. No action is needed at this time.

Earlier today, a critical vulnerability in the log4j library used in several SailPoint SaaS solutions (IdentityNow and IdentityAI) was announced and is being tracked by CVE-2021-44228.
SailPoint is actively tracking this vulnerability and has implemented mitigating controls in our SaaS edge services. Teams are actively working to complete additional mitigations and remediations associated with on-premise services. Estimated completion for internal services is tomorrow, Dec 11th.

Hi, is there any update on the on-premise service vulnerability?

@stvoda Please see our updates for IdentityIQ here: SailPoint IdentityIQ Response to log4j Remote Code Execution Vulnerability

All SailPoint SaaS services are now safe from the log4j exploit. The critical vulnerability announced yesterday in the log4j library used in several SailPoint SaaS solutions (IdentityNow and IdentityAI) being tracked by CVE-2021-44228 has been mitigated in all SailPoint SaaS environments.

Thanks Jordan. We run IdentityNow. Is there any action that we need to take on our VAs? Or IQService Windows servers?

We are wondering the same thing. Are there updates that need to be done on the VAs, etc that are on prem?

@stvoda @mankelat, thanks for bringing virtual appliances up. All VA’s we can mitigate have already been mitigated. If there should be any further mitigation done, customer support will be reaching out to those customers directly. As of right now, there is nothing you need to do!

Could you comment on theIQ servers that IDNow customers use for AD connections? Do we need to do anything with them?

Hi there, seems the 2.15 version is incomplete in patching CVE-2021-44228?

A newer version 2.16 was released by Apache, wondering when the VAs will be updated?

Echoing @VincentChu 's question.

Are any SaaS services or the VAs impacted by thew new CVE?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Seems log4j2.noFormatMsgLookup to true doesn’t mitigate the issue and still allows for RCE. Good read: Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) | LunaSec

All,

SailPoint has fully mitigated the Log4J RCE vulnerability (CVE-2021-44228) in all impacted products.

We are aware of the recently-identified Log4J DoS vulnerability (CVE-2021-45046) that is also applicable to the impacted products. While this new DoS vulnerability has a low severity (CVSS score of 3.7 per NVD), we are actively working on addressing this vulnerability by upgrading to Log4J 2.16.0 and expect product releases that include the updated library to be available in the coming days.

We will be issuing further communications once this issue has been addressed. No action is needed at this time.

Thank you for the update. Nice to see release with 2.16 are coming soon. Can’t imagine how busy your teams must have been working over the past week to address this. Much appreciated.

Please follow the announcements category for all future announcements on log4j: Announcements - SailPoint Developer Community