Patch Tuesday – December 2021

Foundation IT December 2021 Patching Blog

You’ll be glad to know, we’ve made it. The final patch Tuesday of 2021 and what a year it’s been in terms of updates. We’re going to do a summary of 2021 and have a look back at some of the vulnerabilities and their fixes from 2021. But without further ado, let's take a good look at what is occurring in December. This will be the format moving forward, I would welcome any feedback.

Dan Robinson

Technical Support Engineer

(dan.robinson@foundation-it.com)

What’s been published:

Microsoft fixes published: 67

Of which:

• Flagged as Critical: 7
• Flagged as Important: 60
• Flagged as Moderate: 0

Zero Days Discovered: 6

Major Fixes

I don’t think I can ever do Log4shell justice in this blog, but I’ll try to sum up what’s out there and what it means for you. Log4Shell is a vulnerability that is in the Apache Log4j2 Java-based logging library. All the security experts are calling this the most critical vulnerability of the year, but why is that. The zero-day tracking reference is CVE-2021-44228 and it was made public at the end of last week, believe it or not, it was first discovered in Minecraft. It is a remote code execution (RCE) vulnerability that if left unmitigated, enables a malicious actor to execute arbitrary Java code to take control of a target server. Unfortunately for us, it’s extremely easy to exploit.

What can you do to remediate this? You’ll need to apply the specific services vendor hotfix or follow the mitigation instructions. Luckily for us, due to the nature of the vulnerability, someone has put together a comprehensive list of links to various vendors where you can go and find more information for a specific vendor. You can breathe a small sigh of relief, if you have no public Internet-facing services as your attack vector is reduced from external predators, however the vulnerability will still be there and still need to be resolved quickly.

Link: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

Apache have taken swift action and have already released a fix for Log4j, but ultimately this will only help if you use Apache as a service directly. A lot of the mentions in the link above are for systems and services which have Apache built into them, therefore requiring updates to be applied to the service or system from the vendor.

Link: https://logging.apache.org/log4j/2.x/security.html

In non Log4Shell news, CVE-2021-43905 stands out this month for being flagged as Critical, as well as scoring 9.6 as a CVSS score. It’s also flagged as exploitation more likely, so this is certainly a patch to focus on applying. This CVE relates to the “Office” app, which is available from the Microsoft Store, likewise is the security update.

Finally, we also had CVE-2021-43883 which relates to an elevation of privilege on Windows Installer, not as high on the CVSS score with a 7.8, however once again exploitation is more likely. The fix for this is in your December updates for all supported operating systems, both Server and end-user.

Worthy Mentions

• Android - December security updates were released last week.
• Apache Log4j - Numerous security advisories were released for the highly problematic vulnerability sweeping the Internet.
• Apple -Released security updates for iOS, iPadOS, macOS, tvOS and watchOS.
• Cisco - Released security updates for numerous products this month, including advisories related to the Log4j vulnerability in their products.
• SAP - released its December 2021 security updates.
• VMWare - released an advisory about current patches for the Log4j vulnerability in their products.

Additional Details

All the patches can be found in the table below or alternatively downloaded here.

We have also curated a downloadable Patching Best Practice Guide.