Security Alert GoAnywhere MFT

🚨 MESSAGE 21/12/2021

Dear customers,

As promised, we will keep you updated on the evolution of the breaches.

A new operation as to be patched in order to correct the breach named CVE-2021-45105.

⬇ You will found the short description below :

Regarding CVE-2021-45105, Apache Log4j2 version 2.16 (included in the patch versions below) prevents evaluation of lookup patterns introduced outside of configuration; thus, customers only need to verify that the log4j2.xml configuration files located in the /config folder of their GoAnywhere products do not contain the vulnerable lookup pattern ${ctx:. The vulnerable lookup pattern is not included in the default logging configurations for GoAnywhere products.

Customers who previously manually updated their Log4j configuration files are advised to:

• Replace occurrences of ${ctx: with %X. For example, ${ctx:example} should be replaced with %X{example}.
• Restart the affected GoAnywhere product after making changes.

The above mitigation requires that customers upgraded to the patches announced December 17.

Thank you.

The ESBD Team

🚨 MESSAGE 17/12/2021

Dear customers,

We would like to follow up on our last emailing regarding the ‘Log4j2’ critical vulnerability published as CVE-2021-44228, and the breach published as CVE-2021-45046.

An update of the GoAnywhere patches are available.

This includes:

• Mitigation steps for GoAnywhere MFT (corrected),
• Mitigation steps for Gateway (corrected),
• Mitigation steps for Agents (in progress, we will come back to you ASAP with the details),
• Mitigation steps for Open PGP studio (corrected).

In addition, all patches that have been implemented should be removed and replaced with the new version incorporating Log4j2 v2.16 which fully fixes the 2 CVEs.

You can also find all the links and guides for updating GoAnywhere to your version below.

Our technical team thanks you for your patience and is at your disposal for assistance at the following email address support@esbd.eu.

Thank you,

ESBD Team

MESSAGE 14/12/2021

Dear customers,

On December 10 NIST published CVE-2021-44228 in response to the open-source Apache “Log4j2″ utility.

HelpSystems is actively monitoring this issue, investigating the potential impact on our products, and assembling the appropriate mitigations.

While the Log4j zero-day vulnerability does not appear to affect all Java versions, mitigation steps have been issued for GoAnywhere MFT.

For the latest guidance, please visit: https://www.goanywhere.com/cve-2021-44228-goanywhere-mitigation-steps.

The mitigation steps for the following products are enumerated below, and can be applied to assure the exploitable code is avoided when running any version of Java.

If you have earlier versions of our GoAnywhere software, you will need to upgrade before applying the system property.

• GoAnywhere MFT version 5.7.0 or later.
• GoAnywhere Gateway version 2.7.0 or later.
• GoAnywhere MFT Agents 1.4.2 or later.

For more information on this vulnerability:  https://nvd.nist.gov/vuln/detail/CVE-2021-44228

If you need additional details or assistance, please contact support@esbd.eu

Thank you,

ESBD

Share it