Log4J - Zero Day Vulnerability - CVE-2021-44248 and CVE-2021-45046

This incident has been resolved.

Tenfold has upgraded the shared cloud environment to 2.16 which is the current safe harbor version.

Tenfold Security, Operations, and Engineering Team continue to monitor the evolving situation related to Log4J and will update this incident as details become known. Please check status.tenfold.com for further updates. At this time, Tenfold has taken all available mitigating steps across our platform. For a summary of these components please read below:

Cloud Shared Environment - MITIGATED - Leveraging Log4J version 2.16 in default configuration
Cloud Connect Server - NO RISK - Does not leverage Log4J
Tenfold Cloud Connect Server - VERY LOW RISK - Only ingress is via Lateral PBX system. Tenfold will eliminate Log4J from future TCC versions beginning in TCC 5.2.0. Direct communication has been shared with TCC customers.

============================================================================================
Background
A recently widely exploited zero day vulnerability has been identified in Java, specifically the common log4j logging framework. This framework is very commonly used across the SaaS industry and is used in Tenfold.

The high severity vulnerability enables the execution of code (RCE) at the privilege level of the application, in scenarios where the attacker can manipulate the contents of inputs that are logged via log4j.

The specifics around the vulnerability can be found at the following
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44248 and
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

NOTE that as of Dec 15, 2021 Tenfold security has not detected any anomalous activity and does not believe that any malicious activity has occurred within the Tenfold Cloud

Does this affect the Tenfold Cloud?
Only one component of the Tenfold Cloud utilizes Java and uses log4j

Is the Tenfold Cloud using log4j? Yes
Is the Tenfold Cloud vulnerable to exploitation? No
Tenfold cloud has been patched (as of Dec 14, 2021) to log4j version 2.15
Tenfold’s implementation of Log4J is used in the default configuration so we believe that we are completely mitigated

NEXT ACTION: In an overabundance of caution, Tenfold will update to log4j version 2.16 on Dec 15 (pending QA testing)

Does this affect the Tenfold On Premise Components?
Only one component of the Tenfold On Premise solution (Tenfold Cloud Connect - TCC) utilizes Java. Customers leveraging (Cloud Connect Services - CCS) are not impacted

Is the Tenfold On Premise using log4j? Yes
Is the Tenfold On Premise vulnerable to exploitation? Potentially
TCC does not inherently open any inbound ports to the internet - so, in it’s normal mode of operation, it is not vulnerable.
However, customers are advised that TCC does open inbound ports to their on-prem PBX solutions - so if those solutions are vulnerable, TCC may be susceptible to a lateral move vulnerability
Since customers’ PBX solutions are outside of Tenfold’s sphere of control, customers are advised to take whatever actions they deem necessary to secure their PBX systems.

NEXT ACTION: From TCC version 5.2.0 (expected later this month) forwards, Tenfold will be removing log4j from the TCC code - which will completely mitigate this vulnerability.

Customers leveraging TCC will be contacted directly with specific instructions on how to further mitigate any further risk.