Okta’s response to CVE-2021-44228 (“Log4Shell”)

David Bradbury

Last Updated: 1/12/2022 3.30pm Pacific Time

The Okta Security team continues to investigate and evaluate the Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell.

Log4j is a Java-based logging utility found in a wide number of software products.

The vulnerability was disclosed by the Apache Log4j project on Thursday, December 9, 2021. If exploited, it could potentially allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value on an affected endpoint.

As soon as Okta learned of this vulnerability, we promptly evaluated all cloud-hosted systems and customer premise agents to determine what might be impacted and methodically set about remediating any exposure.

This page will be updated over the coming days as more information becomes available.

Affected Products

Okta took prompt action to patch and mitigate the potential impact of this vulnerability on the Okta Identity service.

We strongly recommend customers apply the following updates to customer agents, available from within the Okta Admin Console:

The following products and components are NOT impacted by this issue:

  • Advanced Server Access
  • Confluence Authenticator
  • End user browser plugins:

    • Chrome
    • Firefox
    • Safari
    • Chromium Edge
    • Legacy Edge
    • Internet Explorer.
  • Jira Authenticator
  • Okta Access Gateway
  • Okta AD Agent
  • Okta Browser Plugin
  • Okta IWA Web Agent
  • Okta LDAP Agent
  • Okta MFA Credential Provider for Windows
  • Okta MFA provider for ADFS
  • Okta Mobile
  • Okta People Picker for Sharepoint (2010, 2013, 2016)
  • Okta Provisioning Connector Tester
  • Okta Provisioning Agent
  • Password Sync Agent
  • Okta Device Trust Windows Agent
  • Okta Workflows
  • Okta Verify

Other mitigations

We also recommend customers check whether any other (non-Okta) software they are running may be impacted and check in with applicable vendors for available patches.

Customers unable to patch affected software should also consider the mitigation strategies outlined below.

  • Deploy a WAF with rules specific to the exploitation observed around this vulnerability.
  • In Log4j versions from 2.10 to 2.14.1:
    • Set the system property log4j2.formatMsgNoLookups to true, or
    • Remove the JndiLookup class from the classpath. For example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Next Steps

The Okta Security team will continue to provide updates as necessary in this document.

Updates

Okta continues to monitor and enhance our detection capabilities as new methods of exploitation arise.

Update (1/12/2022 3.30pm Pacific Time): 

Okta found no evidence that either Okta RADIUS Server Agent 2.17.1 or Okta On-Prem MFA Agent 1.4.7 agents were impacted by CVE-2021-45105, due to preconditions that must exist for this vulnerability to be exploitable. We have nonetheless released updated versions of both agents which patches the vulnerability reported in CVE-2021-45105.

We have further assessed CVE-2021-44832 in Log4j. Again, due to the preconditions that must exist for this vulnerability to be exploitable, we have assessed that neither the Okta core service nor any of the Okta agents are vulnerable. We will release further patches as part of our normal update cycle.

Update (12/20/2021 12:30pm Pacific Time)

We have assessed CVE-2021-45105 in log4j. Due to the preconditions that must exist for this vulnerability to be exploitable neither the Okta core service nor any of the Okta agents are vulnerable. We will release further patches as part of our normal update cycle.

Update (12/18/2021 07:45am Pacific Time)

As a result of our ongoing investigation and review related to the updated criticality of CVE-2021-45046, we strongly recommend customers apply the following updates to customer agents, available from within the Okta Admin Console:

We also recommend customers check whether any other (non-Okta) software they are running may be impacted and check in with applicable vendors for available patches. We will continue to monitor all developments related to these vulnerabilities, and will provide additional updates and guidance as needed.

Update (12/17/2021 10:10am Pacific Time)

Okta is aware of new information regarding the criticality of CVE-2021-45046, and is currently investigating what additional actions or mitigations may be needed.

The change score from low to critical in CVE-2021-45046 reflects the determination that this vulnerability can now be exploited to gain remote code execution (RCE) under a very specific set of conditions. It is important to note that this increase in impact was uncovered by whitehat security researchers who disclosed it as soon as it was confirmed. There are no known signs of CVE-2021-45046 being exploited in the wild at this point.

Given the evolving and fluid nature of the vulnerabilities with log4j, we are actively monitoring all developments. Our investigation is ongoing, and more information will be provided as soon as it is available.

Update (12/16/2021 9:00am Pacific Time)

In light of CVE-2021-45046, and after monitoring for additional vulnerabilities and exploit development, Okta has deployed further mitigations and patches for components of the Okta Identity service that used the Log4j library.

No further actions are required of customers at this time. 

Update (12/14/2021 6:00pm Pacific Time):

Okta is currently investigating whether any further patches and mitigations are required in light of CVE-2021-45046, a second, related vulnerability discovered in Log4j. We will publish a separate blog post if we assess that customers need to take any further actions.

Update (1/7/2022 9:00am Pacific Time):

We have assessed CVE-2021-44832 in log4j. Due to the preconditions that must exist for this vulnerability to be exploitable, we have assessed that neither the Okta core service nor any of the Okta agents are vulnerable. We will release further patches as part of our normal update cycle.

David Bradbury
Chief Security Officer

David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies. 

Prior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs. 

Bradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.