by Jared Barraford
Managing Director
Background
Recently two critical risk Apache vulnerabilities were brought to the iManage security team for investigation, which were found to be exploitable under certain conditions for on-premises customers running specific Work products. At this time, these vulnerabilities do not apply, or have been mitigated for iManage Cloud customers with zero impact to any customer data.
What is the Impact + Mitigation for CVE-2021-40438 (Mod_Proxy)?
Some iManage on-premises products are installed with a version of Apache that is impacted by this vulnerability (all versions including and earlier than Apache HTTP Server 2.4.48 and earlier). With a vulnerable version of Apache, remote, unauthenticated attackers can force vulnerable HTTP servers to forward requests to arbitrary servers via the mod_proxy component, giving them the ability to access resources that should be unavailable.
The products potentially impacted by this issue are:
- All 9.4, 9.5 and 10.x versions of Work Server
- iManage Threat Manager 10.2 and earlier
- iManage Extract 3.x
The issue can be mitigated accordingly:
- For Work Server, update the worksite.conf file according to iManage recommendations to add a rewrite action for attempts to access the unix: query string. A future version of Work will update the Apache version to a newer release.
- For iManage Threat Manager, schedule an upgrade to version 10.2.0.1 which includes an updated version of Apache.
- For iManage Extract 3.x, verify, and update the Apache component manually.
*** Note Well *** iManage systems exposed to the internet through Work Anywhere should be prioritized for evaluating potential impact, however, may not be vulnerable depending on the external security configuration.
What is the Impact + Mitigation for CVE-2021-44228 (Log4j2)?
Apache Log4j2 is a logging tool used with many iManage java-based products. The vulnerability allows an attacker to control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
*** Note Well *** iManage Work Server is not impacted by this vulnerability.
The products potentially impacted by this issue are:
- iManage Work Indexer 10.3 and Later (used with SPM only)
- iManage Work Indexer powered by RAVN 10.3.x
- iManage Records Manager 10.3.x and later
- iManage Security Policy Manager
- iManage Threat Manager
The issue can be mitigated by disabling message lookup substitution for each of the affected components.
Helient can offer assistance evaluating the risk and remediating these vulnerabilities or reviewing the overall state of security within the iManage environment. Please contact our experts at service@helient.com.