Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
This bug has been filed to evaluate the product Cisco Firepower Threat Defense (FTD) managed by Firepower Device Manager (FDM) against the vulnerability in the Apache Log4j Java library disclosed on December 9th, 2021. Cisco has reviewed this product and concluded that it contains a vulnerable version of Apache Log4j and is affected by the following vulnerability: CVE-2021-44228 - Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
FTD has two management modes: - Firepower Device Manager/Cisco Secure Firewall Device Manager(FDM) - This is our on-box device manager (Vulnerable) - Firepower Management Center/Cisco Secure Firewall Management Center - This is our off box device manager (Not Vulnerable) The part of the code that is vulnerable is the programmatic REST API that backs FDM (aka FTD-API) which can be directly used by a customer and is also the backing API used by the graphical user interface. The FDM interface is by default enabled in most device models on the inside interface (typically port 2) and the management interface. It is not enabled on your outside port by default (but can be enabled by a user). The majority of the risk here would be a risk that someone inside your network may be able to attack this API. There is a limited risk of unauthenticated attack with some of the APIs that will log malformed input. There is almost a broader risk to an authenticated user who would be able to call a broader set of APIs. This vulnerability does not impact any VPN functionality. Firepower Management Center managed FTD devices are not vulnerable. At the time this bug was filed all existing releases from 6.2.3 forward contain a vulnerable copy of the library. If you are running any of these versions it is recommended to take the mitigation of access control on the programmatic API for FDM (FTD-API) at the least and/or apply the patch to remove the risk. - 6.2.3.17 and earlier - 6.3 (all versions) - 6.4.0.13 and earlier - 6.5.0.5 and earlier - 6.6.5.1 and earlier - 6.7.0.2 and earlier - 7.0.1 and earlier - 7.1.0
There are currently hotfixes released for all major release trains; the recommended approach is to update to this hotfix. For an alternate approach if you can't yet update: Access Control can be added to both the management and data-plane interfaces to limit who can connect to the programmatic API for FDM (FTD-API). To configure this access control in the FDM UI go to: System Settings --> Management Access Under Management Access there are two tabs of interest to limit access: - Management Interface - Data Interfaces Under these subtabs, you can impose access control on "to the box" traffic destined to the management or data-plane interfaces. The only risk is to users you allow access to via either of these interfaces; by default, access is open which is why you may want to consider limiting that access. Note: Access will only be enabled by default on the management and inside data-interface it will not be exposed on the default outside interface. (However, the user can manually enable it)
Additional details about the vulnerability listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS scores as of the time of evaluation are 7.3: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html