{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-070.pdf"
    },
    "title": "MobileIron Critical Vulnerability",
    "serial_number": "2021-070",
    "publish_date": "16-12-2021 10:12:00",
    "description": "On December 15th, Ivanti updated its advisory related to \"CVE-2021-44228\" vulnerability affecting MobileIron products. While this CVE affects the Java logging library \"log4j\", all products using this library are vulnerable to Unauthenticated Remote Code Execution.",
    "url_title": "2021-070",
    "content_markdown": "---\ntitle: 'MobileIron Critical Vulnerability'\nversion: '1.0'\nnumber: '2021-070'\ndate: 'January 17, 2021'\n---\n\n_History:_\n\n* _16/12/2021 --- v1.0 -- Initial publication_\n* _17/01/2022 --- v1.0 -- Edit the affected versions section for MobileIron Sentry_\n\n# Summary\n\nOn December 15th, Ivanti updated its advisory related to `CVE-2021-44228` vulnerability affecting MobileIron products [2]. While this CVE affects the Java logging library `log4j` [1], all products using this library are vulnerable to Unauthenticated Remote Code Execution.\n\n# Technical Details\n\nThe vulnerability exists in the Java logging library `log4j`. An unauthenticated remote attacker might exploit this vulnerability by sending specially crafted content to the application to execute malicious code on the server [1].\n\n# Affected products\n\n- MobileIron Core  (All Versions)\n- MobileIron Sentry 9.13 and 9.14\n- MobileIron Core Connector  (All Versions)\n- MobileIron Core RDB  (All Versions)\n\n# Recommendations\n\nIvanti provided guidance to mitigate the vulnerably on its various affected products:\n\n1. Connect to the server CLI via SSH protocol;\n2. Use the command `enable` to elevate privileges;\n3. Install the workaround using one of the following commands (depending on the product you are updating):\n\n```\ninstall rpm url https://supportcdn.mobileiron.com/log4j-jndi/current/mi-workaround-log4j-jndi-vulnerability-1.0.0-1.noarch.rpm # MobileIron Core\ninstall rpm url https://supportcdn.mobileiron.com/log4j-jndi/current/mi-workaround-sentry-log4j-jndi-vulnerability-1.0.0-1.noarch.rpm # MobileIron Sentry\ninstall rpm url https://supportcdn.mobileiron.com/log4j-jndi/current/mi-workaround-connector-log4j-jndi-vulnerability-1.0.0-1.noarch.rpm # MobileIron Core Connector\ninstall rpm url https://supportcdn.mobileiron.com/log4j-jndi/current/mi-workaround-rdb-log4j-jndi-vulnerability-1.0.0-1.noarch.rpm  # MobileIron Core RDB\n```\n\n4. Accept the service restart (`y`).\n\nNotes:\n\n- If FIPS mode is enabled on the server, then the effects of the installation will not persist across reboots. This means the RPM installation will need to be re-performed immediately after the system comes back up after a reboot.\n- If the server is upgraded, then the RPM installation will need to be re-performed, unless the version being upgraded to has a fix to the issue.\n- For Sentry, the RPM installation is applicable only to Sentry 9.13 and above. Versions prior to that are not vulnerable.\n\n# References\n\n[1] <https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-067.pdf>\n\n[2] <https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>16/12/2021 --- v1.0 -- Initial publication</em></li><li><em>17/01/2022 --- v1.0 -- Edit the affected versions section for MobileIron Sentry</em></li></ul><h2 id=\"summary\">Summary</h2><p>On December 15th, Ivanti updated its advisory related to <code>CVE-2021-44228</code> vulnerability affecting MobileIron products [2]. While this CVE affects the Java logging library <code>log4j</code> [1], all products using this library are vulnerable to Unauthenticated Remote Code Execution.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability exists in the Java logging library <code>log4j</code>. An unauthenticated remote attacker might exploit this vulnerability by sending specially crafted content to the application to execute malicious code on the server [1].</p><h2 id=\"affected-products\">Affected products</h2><ul><li>MobileIron Core (All Versions)</li><li>MobileIron Sentry 9.13 and 9.14</li><li>MobileIron Core Connector (All Versions)</li><li>MobileIron Core RDB (All Versions)</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Ivanti provided guidance to mitigate the vulnerably on its various affected products:</p><ol><li>Connect to the server CLI via SSH protocol;</li><li>Use the command <code>enable</code> to elevate privileges;</li><li>Install the workaround using one of the following commands (depending on the product you are updating):</li></ol><pre><code>install rpm url https://supportcdn.mobileiron.com/log4j-jndi/current/mi-workaround-log4j-jndi-vulnerability-1.0.0-1.noarch.rpm # MobileIron Core\ninstall rpm url https://supportcdn.mobileiron.com/log4j-jndi/current/mi-workaround-sentry-log4j-jndi-vulnerability-1.0.0-1.noarch.rpm # MobileIron Sentry\ninstall rpm url https://supportcdn.mobileiron.com/log4j-jndi/current/mi-workaround-connector-log4j-jndi-vulnerability-1.0.0-1.noarch.rpm # MobileIron Core Connector\ninstall rpm url https://supportcdn.mobileiron.com/log4j-jndi/current/mi-workaround-rdb-log4j-jndi-vulnerability-1.0.0-1.noarch.rpm  # MobileIron Core RDB\n</code></pre><ol start=\"4\"><li>Accept the service restart (<code>y</code>).</li></ol><p>Notes:</p><ul><li>If FIPS mode is enabled on the server, then the effects of the installation will not persist across reboots. This means the RPM installation will need to be re-performed immediately after the system comes back up after a reboot.</li><li>If the server is upgraded, then the RPM installation will need to be re-performed, unless the version being upgraded to has a fix to the issue.</li><li>For Sentry, the RPM installation is applicable only to Sentry 9.13 and above. Versions prior to that are not vulnerable.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-067.pdf\">https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-067.pdf</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j\">https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}