Impact of Log4j Exploit on Pharos - January 2022

January 24th Update: A patch for the Pharos Sentry Print Service has been RELEASED! This patch updates the Log4j libraries to the latest (invulnerable) version.

• Beacon: Download and deploy the updated "Pharos Sentry Print Service - Local Connector" release for November (version 3.74.10; requires a login). Please do not uninstall the previous version.

• Blueprint: The patch has been posted on the Blueprint Downloads page. Please review the ReadMe for update instructions.

January 21st Update: A fix that addresses the Log4j component issue for Beacon Sentry Print will be available to Beacon customers on Monday, January 24th. Download and install the new Device Scout package to apply the update. 

December 21st Update: Pharos has used Amazon's AWS Inspector  to surveille our Beacon infrastructure for all log4j CVEs and have found no evidence of vulnerability. This confirms our earlier findings, and is expected.

December 20th Update: Pharos is aware of a new log4j exploit ( CVE-2021-45105 ).  This vulnerability is rated High with a CVSS score of 7.5, because it is simple to implement and allows a remote attacker to perform DoS attacks. 

This vulnerability has the same version and component requirements as the other log4j issues – specifically log4j versions  2.0-alpha1 through 2.16.0 (excluding 2.12.3). Pharos onsite components do not use these versions of log4j and are not vulnerable. 

A non-customer facing cloud component used by Pharos runs a version of log4j (ElasticSearch) that is not affected by this vulnerability, as the prior patch is effective against the new vulnerability.  ElasticSearch  has updated their guidance to confirm that their service is not vulnerable to this new vulnerability.  

December 16th Update: 

Pharos is aware of a new Log4j exploit ( CVE-2021-45046 ). Our initial investigation indicates that Pharos solutions, including iMFPs, are not susceptible to this new vulnerability. A non-customer facing cloud component used by Pharos runs a version of log4j (ElasticSearch) that is not affected by this vulnerability, but has been patched out of an abundance of caution. In addition, this new vulnerability does not change  Elastic’s guidance .     

December 14th Update:

Pharos has learned that a non-customer facing cloud component used by Pharos was potentially susceptible to log4shell - specifically ElasticSearch, which is used by Pharos to log events across our infrastructure. We have applied patches to all production environments. In addition, Pharos has scanned all our logs and confirmed that no attempts were made to exploit this vulnerability. More information on ElasticSearch and log4j is available here:  h ttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476.

Background

Recently, a new zero day vulnerability in the popular Java library Apache Log4j ( CVE-2021-44228 ) was uncovered. This vulnerability allows attackers to inject arbitrary code in Log4j  for versions  2.0-2.14.1. This Java library is widely used by multiple closed and open source projects.

This vulnerability is rated critical (CVSS severity level 10 out of 10), with immediate patching or mitigation recommended if affected, because it allows a possible Remote Code Execution when an attacker sends a malicious code string that gets logged by Log4j. That string allows the attacker to load Java onto a server and therefore take control.

Impact of Apache Log4j exploit on Pharos Products

After initial review, Pharos believes that our Pharos customers are not impacted by the Log4j JNDI exploit. Pharos uses Java in our embedded solutions for some print manufacturers and does include a copy of the Log4j library, but the version installed is not susceptible to the current vulnerability.

The Log4j library is present for the following Pharos software titles:

• Pharos Beacon. Installed as part of the Device Scout/Sentry Print Service.

• Pharos Blueprint Enterprise, version 5.3. Installed as part of the Sentry Print Service.

The library is loaded only when actively deploying or removing the Sentry SE50 embedded product on Ricoh devices.

Recommended Action

In general, Pharos' recommendation is to do nothing. When your scanner does detect the Log4j library in one of the following locations (the location varies depending on your installed version), you can safely ignore it:

1. \Program Files (x86)\HP\HP Secure Print Service\smartsdk-installer\lib\

2. \Program Files (x86)\PharosSystems\Sentry Print Service\smartsdk-installer\lib\

However, we also understand that many organizations have different operating procedures in the face of a vulnerability and will need to mitigate any threat. If you are either not using the Sentry SE50 client, or not deploying this client to Ricoh models, you may safely remove the "log4j-1.2.17.jar" file from one of the locations listed above.

If you are using the Sentry SE50 client for deployment to Ricoh models, you may retain a copy of the file offline and remove it from affected servers. Prior to deploying Sentry SE50 to Ricoh, reintroduce the offline copy to a server and perform the deployment. The server copy can be removed when finished.

Next Steps

Pharos is actively developing a patch for the Sentry Print Service to update to the currently invulnerable Log4j 2.17.0 version. This will be released as a a patch update for both Beacon and Blueprint 5.3 when available.

If you have further questions, please reach out to pharossecurityteam@pharos.com.