Log4j Vulnerability and WatchGuard Server Center
Hi,
Regarding the new Log4j vulnerability -
Is it a cause for concern that, as I understand it, the WatchGuard Server Center utilises Apache HTTP Server?
If any, what steps should I be taking?
Thanks.
0
Sign In to comment.
Comments
I've moved over to the Dimensions server install BUT, it would seem the Quarantine Server must run on Apache HTTP Server? Is that right?
Are WatchGuard staff releasing an updated software package? Or confirming that there is no vulnerability with their software?
I received this from support:
Watchguard is aware of the vulnerability, and have a web article that addresses how to mitigate it. You can find the article link listed below. Watchguard is aware of the vulnerability, and currently working on a solution for our products.
Secpliity Blog regarding the Log4j vulnerability:
https://www.secplicity.org/2021/12/10/critical-rce-vulnerability-in-log4js/
Apache.exe
Apache.exe is the HTTP web server process that runs the user interfaces of the WatchGuard servers. Any time you open WatchGuard Server Center and connect to the Log Server, Report Server, Quarantine Server, WebBlocker Server, or Management Server, you access an instance of Apache.exe. Depending on how many WatchGuard servers you install, there can be anywhere from three to ten instances of Apache.exe running after installation. This does not change. That number of instances of the process runs as long as the WatchGuard server services are running.
Processes for WatchGuard Servers: Postgres.exe and Apache.exe
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3EpSAI&lang=en_US
I just stopped all of these services which were running and I no longer have any apache.exe processes running on my PC.
Yeah thanks. I also stopped those processes as a matter of just being cautious.
It's a shame the Dimensions server cannot handle the Email Spam Quarantine service.
A post from WG just came out, here:
Critical RCE Vulnerability in Log4J2
https://www.secplicity.org/2021/12/10/critical-rce-vulnerability-in-log4js/
which includes:
"If you’re a WatchGuard customer, we are in the process of investigating internally and actively reviewing our products and services to determine any potential impact. We will proactively patch services where log4j2 is in use."
There was an update to the post this morning that read:
"If you’re a WatchGuard customer, the Firebox, WatchGuard System Manager and Dimension are all not affected. Several WatchGuard Cloud components including Threat Detection and Response and AuthPoint were running a vulnerable version of log4j2, but use a version of JVM that is not vulnerable to the common LDAP attack vector. We have updated these components out of an abundance of caution. We are continuing to investigate internally for any additional potential impact."
https://www.secplicity.org/2021/12/10/critical-rce-vulnerability-in-log4js/
Regarding the quarantine server, there aren't any plans to update that software. I'd suggest using a tagging system (such as adding SPAM in the subject line) to allow the spam folder integrated into most modern mail clients to handle this email traffic in a way that the user will see it.
-James Carson
WatchGuard Customer Support
When will an IPS protection become available to protect potential vulnerable web servers with IPS?
Several vendors like CheckPoint, PaloAlto and Fortnet have updated their IPS signature databases. We would like to protect our web servers behind our Fireboxes with IPS too.
@leonkasacto
IPS updates are in progress, but they must be tested before release.
-James Carson
WatchGuard Customer Support
@leonkasacto IPS updates are now available:
https://techsearch.watchguard.com/KB?type=Security Issues&SFDCID=kA16S000000SNnuSAG&lang=en_US
-James Carson
WatchGuard Customer Support