Article topics
Introduction
DRACOON has implemented a number of mitigations for the log4j CVEs that have been published in the last few weeks and pays close attention to the official Apache Log4j Security Vulnerabilities webpage: Apache Log4j Security Vulnerabilities.
Even though most of the components in DRACOON products were not affected, all recommended mitigations have been implemented and new releases for components in DRACOON Server and DRACOON LTS 2019-1 have been published. This is to ensure that no library dependency, which is outside DRACOON's control, can negatively affect the product.
Customers running DRACOON LTS 2019-1 must pay particular attention to these new releases and upgrade their environments as soon as possible.
In a nutshell, mitigations have been implemented to address the following CVEs:
- CVE-2021-44228 - Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
- CVE-2021-45046 - Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
- CVE-2021-45105 - Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
- CVE-2021-44832 - Apache Log4j2 vulnerable to remote code execution in certain non-default configurations
The tables below break down the products and mitigations customers need to implement to ensure a vulnerability-free environment.
DRACOON Cloud
All backend components within the DRACOON Cloud have been reviewed and patched further, even though none of the components have been directly vulnerable by the CVEs: all components do not use the log4j-core package or depend on it.
DRACOON clients
DRACOON Cloud can be used via different end-user interfaces. The list below describes all DRACOON products and their status.
|
Client
|
Version
|
Status
|
|---|---|---|
| DRACOON for Windows | All versions |  not affected |
| DRACOON for Mac | All versions | not affected |
| DRACOON for Outlook | All versions | not affected |
| DRACOON for Teams | All versions | not affected |
| DRACOON for Zapier | All versions | not affected |
| DRACOON for iOS | All versions | not affected |
| DRACOON for Android | All versions | not affected |
Table last updated on: 21 Dec 2021
DRACOON Server
Important
All components within the DRACOON Server have been reviewed and patched further, even though they have not been directly vulnerable by the CVEs: all components do not use the log4j-core package or depend on it. Run "yum update" on your DRACOON Server instances to install all the latest security patches.
The mitigations below are safe against all 4 known log4j CVEs: CVE-2021-44228, CVE-2021-45046 CVE-2021-45105 and CVE-2021-44832
More information about updating your DRACOON Server instance can be found here: https://server.support.dracoon.com/hc/de/articles/4405085887378
| Software | Service | Affected version | Mitigation |
|---|---|---|---|
| Backend |
DRACOON Core Service |  4.26.6 and below |
Upgrade to 4.26.7 |
| DRACOON OAuth Service | 4.20.5 and below |
Upgrade to 4.20.6 | |
| DRACOON Branding Service | 1.4.1 and below |
Upgrade to 1.4.2 | |
| DRACOON Admin Service | 1.0.2 and below |
Upgrade to 1.0.3 | |
| DRACOON License Service | 1.0.1 and below |
Upgrade to 1.0.2 | |
| DRACOON WebDAV Proxy | 5.4.1 and below |
Upgrade to 5.4.2 | |
| Workers |
DRACOON Webhook Dispatcher | 1.1.5 and below |
Upgrade to 1.1.6 |
| DRACOON Webhook Worker | 1.1.3 and below |
Upgrade to 1.1.4 | |
| DRACOON Message Sender Worker | 1.4.3 and below |
Upgrade to 1.4.4 | |
| DRACOON Mail Notification Dispatcher | 1.2.3 and below |
Upgrade to 1.2.4 | |
| DRACOON S3 CMUR Worker | 1.4.1 and below |
Upgrade to 1.5.0 | |
| Web App | DRACOON Web App | 5.12.5 and below |
Upgrade to 5.12.6 |
| DRACOON Branding Web App | 1.8.0 and below |
Upgrade to 1.8.1 |
Table last updated on: 21 Dec 2021
DRACOON LTS 2019-1
Important
Customers must update all services as soon as possible!
The mitigations below are safe against all 4 known log4j CVEs CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 and CVE-2021-44832
| Software | Service | Affected version | Mitigation |
|---|---|---|---|
| Backend | DRACOON Core Service | 4.12.12 and below |
Upgrade to 4.12.12-noJndiLookup |
| DRACOON OAuth Service | 4.12.4 and below |
Upgrade to 4.12.4-LTS-noJndiLookup |
|
| DRACOON Branding Service | not affected |
- |
|
| DRACOON WebDAV Proxy | 5.2.3-LTS and below |
Upgrade to 5.2.4-LTS |
|
| Web App | DRACOON Web App | not affected |
- |
| DRACOON Branding Web App | not affected |
- | |
| Clients |
DRACOON for Outlook | not affected |
- |
| DRACOON for Teams | not affected |
- | |
|
DRACOON for iOS |
not affected |
- | |
| DRACOON for Android | not affected |
- | |
| DRACOON for Win | not affected |
- |
|
| DRACOON for Mac | not affected |
- |
Table last updated on: 21 Dec 2021
Component update for LTS 2019-1
Please follow the instructions in the corresponding articles:
DRACOON SDKs
|
Library
|
Affected version
|
|---|---|
| C# SDK | not affected |
| C# Crypto SDK | not affected |
| Java SDK | not affected |
| Java Crypto SDK | not affected |
| Swift SDK | not affected |
| Swift Crypto SDK | not affected |
| JavaScript Crypto SDK | not affected |
Table last updated on: 21 Dec 2021
Comments
0 comments
Article is closed for comments.