Detecting Threats Across the Open, Deep
and Dark Web With Infinity ERM
Four Ways to SASE
It's Here!
CPX 2025 Content
Remote Access VPN – User Experience
Help us with the Short-Term Roadmap
CheckMates Go:
What is UPPAK?
Hello CheckMates,
I guess most of you have already seen the fresh CVE-2021-44228 - Log4j vulnerability - Log4Shell and thought about the impact it will have in the enterprise application landscape.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
Maybe we can use this thread to get a first statement from Check Point regarding their products (and later links to SKs) as well as discuss (probably IPS) mitigations.
One more thing.
Checkpoint Harmony protects below stuff which is related to log4j?
I just listed to SANS podcast on the exploit, they mentioned that client apps could also be vulnerable. Has Check Point confirmed that SmartConsole or CPUSE are not vulnerable?
When we say "Security Gateway" and "Security Management" are not affected, things like this are included.
Hi @David_C1, I understand the concerns, but this question was asked and answered here multiple times👆🏻
Hi,
I understand the frustration, but those questions are coming because description is very generic. For example although "security gateway" is listed, would that include Mobile Access blade too?
As @PhoneBoy said above,
"When we say "Security Gateway" and "Security Management" are not affected, things like this are included."
In simple terms, none of our products is using the affected library.
Also, here is another quote from the same sk176865:
"The Check Point Infinity architecture is protected against this threat. We verified that this vulnerability does not affect our Infinity portfolio (including Quantum Gateways, SMART Management, Harmony Endpoint, Harmony Mobile, SMB, ThreatCloud and CloudGuard)."
I understand that many people are nervous now, as this is a serious threat (thats why I created this CheckMates thread on friday to have a space to discuss it).
Check Point told us multiple times, that they are unaffected with their product family and now Val shared the fact, that it is because they are not using the affected library.
I just did a fast check on a R80.40 SMS and can confirm that while a log4j-core-2.12.0.jar is laying there under /opt/CPuepm-R80.40/engine/lib/, it does not seem to be loaded.
Because I was pretty sure, that CP is using log4j in their products, I checked the loaded java processes. And there I could see, that they are using log4j 1.2.
This means they are right, that they are not affected by CVE-2021-44228, because this exploit does not work in log4j 1.2 without JMSAppender beeing used (and it does not look like it is).
However, log4j 1.2 is end of life since 2015 which means that there might be other risks.
As with other older software, Check Point uses inside of their products and which is not patched anymore by their original maintainers, we have to hope that Check Point R&D patches it themself or take other precausions, that security issues cannot be exploited.
Generally, I (and I think some other Check Mates would agree with me) would like it, if nobody uses software in their products, which is end of life by their maintainers. But we all know how the enterprise software industry works, right? This is not a Check Point only problem.
Details:
[Expert@SMS-Example:0]# find / -name "log4j-core*.jar"
/opt/CPuepm-R80.40/engine/lib/log4j-core-2.12.0.jar
[Expert@SMS-Example:0]# ps -edalf | grep java
4 S admin 2595 1 0 80 0 - 1873700 futex_ Sep25 ? 01:10:22 /opt/CPshrd-R80.40/jre_64/bin/java -Xmx4096m -Xms128m -Xshar
4 S admin 7864 7767 0 80 0 - 1103890 futex_ Sep25 ? 09:49:53 /opt/CPshrd-R80.40/jre_64/bin/java -D_vSEC=TRUE -Xdump:direc
4 S admin 8195 7627 38 99 19 - 32722230 futex_ Sep25 ? 30-09:06:35 /opt/CPshrd-R80.40/jre_64/bin/java -D_solr=TRUE -Xdump:di
4 S admin 8213 7627 0 99 19 - 1190465 futex_ Sep25 ? 02:42:13 /opt/CPshrd-R80.40/jre_64/bin/java -D_RFL=TRUE -Xdump:direct
4 S admin 8238 7627 0 80 0 - 1464978 futex_ Sep25 ? 19:07:38 /opt/CPshrd-R80.40/jre_64/bin/java -D_smartview=TRUE -Xdump:
4 S admin 8724 7627 0 80 0 - 772185 futex_ Sep25 ? 00:00:41 /opt/CPshrd-R80.40/jre_64/bin/java -D_RepositoryManager=TRUE
4 S admin 12335 11940 0 80 0 - 662 pipe_w 10:52 pts/2 00:00:00 grep --color=auto java
4 S admin 14275 7627 2 80 0 - 3095046 futex_ Sep25 ? 1-21:49:08 /opt/CPshrd-R80.40/jre_64/bin/java -D_CPM=TRUE -Xaot:force
4 S admin 17841 1 0 80 0 - 1671 do_wai Oct06 ? 00:00:00 /bin/su -s /bin/sh -c /opt/CPshrd-R80.40/jre_64/bin/java -Dj
4 S cp_exte+ 17843 17841 0 80 0 - 856129 futex_ Oct06 ? 01:07:57 /opt/CPshrd-R80.40/jre_64/bin/java -Djava.io.tmpdir=/opt/CPs
4 S admin 20666 14275 2 80 0 - 2099273 futex_ Sep25 ? 1-18:42:12 /opt/CPshrd-R80.40/jre_64/bin/java -D_CPM_SOLR=TRUE -Xmx40
[Expert@SMS-Example:0]# cat /proc/2595/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-Xmx4096m-Xms128m-Xshareclasses:none-Dfile.encoding=UTF-8-Djetty.home=/opt/CPshrd-R80.40/jetty-Djava.io.tmpdir=/opt/CPsuite-R80.40/fw1/tmp-Djetty.state=/opt/CPsuite-R80.40/fw1/api/conf/jetty.state-DSTOP.PORT=8078-DSTOP.KEY=checkpointkey-Dlog4j.configuration=file:/opt/CPsuite-R80.40/fw1/api/conf/log4j.properties-Dtdlog.logDir=/opt/CPsuite-R80.40/fw1/log-Dtdlog.web_api.logFile=api.elg-Dtdlog.output.appender=elgfile-Dtdlog.web_api.csvFile=api.csv-Dtdlog.output.csv.appender=csvfile-Djetty.host=0.0.0.0-Dpath=/opt/CPsuite-R80.40/fw1/api/lib/web_api_jetty.jar:-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:system:none-Xdump:system:events=gpf+abort+traceassert+corruptcache-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh WEB_API %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=2,range=1..0,exec=javaCompress.sh WEB_API %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,priority=1,exec=kill -9 %pid-jar/opt/CPshrd-R80.40/jetty/start.jarOPTIONS=Server/opt/CPsuite-R80.40/fw1/api/conf/jetty.xml
[Expert@SMS-Example:0]# cat /proc/7864/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_vSEC=TRUE-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh vSEC %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh vSEC %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,exec=kill -9 %pid-Xaggressive-Xshareclasses:none-Xgc:scvTenureAge=1,noAdaptiveTenure-Dcpdiag=mainClass-Xmx1024m-Dfwdir=/opt/CPsuite-R80.40/fw1-Dlog4j.configuration=file:///opt/CPvsec-R80.40/lib/log4j.properties-cp/opt/CPvsec-R80.40/lib/*:/opt/CPsuite-R80.40/fw1/cpm-server/*:/opt/CPsuite-R80.40/fw1/VE/bin/*com.checkpoint.datacenter.Main127.0.0.1
[Expert@SMS-Example:0]# cat /proc/8195/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_solr=TRUE-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh solr %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh solr %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,exec=kill -9 %pid-Xaggressive-Xshareclasses:none-Xgc:scvTenureAge=1,noAdaptiveTenure-Xmx29420m-Xms256m-Dcp.ssl.tls.version=1-Dorg.terracotta.quartz.skipUpdateCheck=true-Xdump:system:none-Dlog4j.configuration=file:/opt/CPrt-R80.40/conf/solr.log4j.properties-Dpath=/opt/CPrt-R80.40/jars/aspectjrt-1.7.0.jar:/opt/CPrt-R80.40/jars/commons-io-2.3.jar:/opt/CPrt-R80.40/jars/commons-lang-2.6.jar:/opt/CPrt-R80.40/jars/cxf-core-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-java2ws-plugin-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-bindings-soap-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-bindings-xml-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-databinding-aegis-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-databinding-jaxb-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-frontend-jaxws-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-frontend-simple-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-javascript-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-transports-http-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-transports-http-jetty-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-ws-addr-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-ws-policy-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-wsdl-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-common-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-java2ws-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-validator-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-core-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-databinding-jaxb-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-frontend-jaxws-3.1.0.jar:/opt/CPrt-R80.40/jars/java_is.jar:/opt/CPrt-R80.40/jars/java_sic.jar:/opt/CPrt-R80.40/jars/jaxb-xjc-2.2.11.jar:/opt/CPrt-R80.40/jars/jetty_assist.jar:/opt/CPrt-R80.40/jars/stax2-api-3.1.4.jar:/opt/CPrt-R80.40/jars/woodstox-core-asl-4.4.1.jar:/opt/CPrt-R80.40/jars/wsdl4j-1.6.3.jar:/opt/CPrt-R80.40/jars/xmlschema-core-2.2.1.jar:/opt/CPsuite-R80.40/fw1/cpm-server/jackson-annotations-2.5.0.jar:/opt/CPsuite-R80.40/fw1/cpm-server/jackson-core-2.5.0.jar:/opt/CPsuite-R80.40/fw1/cpm-server/jackson-databind-2.5.0.jar:-Dsolr.log=/opt/CPrt-R80.40/log/solr.log-DSTOP.PORT=7210-DSTOP.KEY=log_infra-jarstart.jar/opt/CPrt-R80.40/conf/jetty.xml
[Expert@SMS-Example:0]# cat /proc/8213/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_RFL=TRUE-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh RFL %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh RFL %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,exec=kill -9 %pid-Xaggressive-Xshareclasses:none-Xgc:scvTenureAge=1,noAdaptiveTenure-Xmx1024m-Xms96m-Dcp.ssl.tls.version=1-Dorg.terracotta.quartz.skipUpdateCheck=true-Dupgrade.cores.count=-Dfile.encoding=UTF-8-DreportingServer.conf.dir=/opt/CPrt-R80.40/conf-Dlog4j.configuration=file:/opt/CPrt-R80.40/conf/rfl.log4j.properties-DReportingServer.log=/opt/CPrt-R80.40/log-cp/opt/CPrt-R80.40/jars/*com.checkpoint.core.LogCore-typejms
[Expert@SMS-Example:0]# cat /proc/8238/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_smartview=TRUE-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh smartview %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh smartview %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,exec=kill -9 %pid-Xaggressive-Xshareclasses:none-Xgc:scvTenureAge=1,noAdaptiveTenure-Xmx2048m-Xms512m-Djava.io.tmpdir=/opt/CPrt-R80.40/tmp-Dfile.encoding=UTF-8-DDedicatedServer=false-DIsMLM=false-DTaskExecThreads=4-Dlog4j.configuration=file:/opt/CPrt-R80.40/conf/smartview.log4j.properties-Dorg.terracotta.quartz.skipUpdateCheck=true-DRTDIR=/opt/CPrt-R80.40-Dpath=/opt/CPrt-R80.40/jars/aspectjrt-1.7.0.jar:/opt/CPrt-R80.40/jars/commons-io-2.3.jar:/opt/CPrt-R80.40/jars/commons-lang-2.6.jar:/opt/CPrt-R80.40/jars/cxf-core-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-java2ws-plugin-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-bindings-soap-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-bindings-xml-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-databinding-aegis-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-databinding-jaxb-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-frontend-jaxws-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-frontend-simple-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-javascript-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-transports-http-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-transports-http-jetty-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-ws-addr-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-ws-policy-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-wsdl-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-common-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-java2ws-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-validator-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-core-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-databinding-jaxb-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-frontend-jaxws-3.1.0.jar:/opt/CPrt-R80.40/jars/java_is.jar:/opt/CPrt-R80.40/jars/java_sic.jar:/opt/CPrt-R80.40/jars/jaxb-api-2.2.7.jar:/opt/CPrt-R80.40/jars/jaxb-core-2.2.7.jar:/opt/CPrt-R80.40/jars/jaxb-impl-2.2.7.jar:/opt/CPrt-R80.40/jars/jaxb-xjc-2.2.11.jar:/opt/CPrt-R80.40/jars/neethi-3.0.3.jar:/opt/CPrt-R80.40/jars/rfl_sic.jar:/opt/CPrt-R80.40/jars/smartview-jetty.jar:/opt/CPrt-R80.40/jars/woodstox-core-asl-4.4.1.jar:/opt/CPrt-R80.40/jars/wsdl4j-1.6.3.jar:/opt/CPrt-R80.40/jars/xmlschema-core-2.2.1.jar:-DSTOP.PORT=8079-DSTOP.KEY=smartview-jarstart.jarOPTIONS=Server,resources,websocket/opt/CPrt-R80.40/conf/smartview-jetty.xml/opt/CPrt-R80.40/conf/smartview-service-jetty.xml
[Expert@SMS-Example:0]# cat /proc/8724/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_RepositoryManager=TRUE-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh RepositoryManager %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh RepositoryManager %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,exec=kill -9 %pid-Xaggressive-Xshareclasses:none-Xgc:scvTenureAge=1,noAdaptiveTenure-jarRepositoryManager.jar
[Expert@SMS-Example:0]# cat /proc/14275/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_CPM=TRUE-Xaot:forceaot-Xmx8192m-Xms192m-Xgcpolicy:optavgpause-Djava.io.tmpdir=/opt/CPsuite-R80.40/fw1/tmp-Xaggressive-Xshareclasses:none-Djava.security.krb5.conf=/opt/CPsuite-R80.40/fw1/conf/krb5.conf-Xjit:exclude={java/lang/invoke/MutableCallSiteDynamicInvokerHandle.invokeExact_thunkArchetype_X*},exclude={java/lang/invoke/GuardWithTestHandle.invokeExact_thunkArchetype_X*},exclude={java/lang/invoke/*.invokeExact_thunkArchetype_X*},exclude={com/checkpoint/management/dleserver/coresvc/internal/SchemaMgrSvcImpl.getClassInfo*},exclude={com/checkpoint/management/object_store/ObjectStoreSessionImpl.findFieldsBySearchQueryEx*}-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=user,priority=1,range=1..0,exec=javaCompress.sh CPMUSER %pid-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh CPM %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh CPM %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,priority=1,exec=kill -9 %pid-Dfile.encoding=UTF-8-cp/opt/CPshrd-R80.40/jars/solr-solrj-v4_8_1.jar:*com.checkpoint.management.cpm.Cpm-s
[Expert@SMS-Example:0]# cat /proc/17841/cmdline
/bin/su-s/bin/sh-c/opt/CPshrd-R80.40/jre_64/bin/java -Djava.io.tmpdir=/opt/CPsuite-R80.40/fw1/cpextensions/tmp -Dfile.encoding=UTF-8 -Djetty.state=/opt/CPsuite-R80.40/fw1/cpextensions/log/jetty.state -DSTOP.PORT=8087 -DSTOP.KEY=cpextensions_key -Dlog4j.configuration=file:/opt/CPsuite-R80.40/fw1/cpextensions/conf/cpextensions.log4j.properties -DCPEXTENSIONS_WITHIN_MANAGEMENT_SERVER=1 -DRULE_ASSISTANT_CONF_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/conf -DWORKFLOW_CONF_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/conf -DRULE_ASSISTANT_LOG_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/log -DCP_EXTENSIONS_LOG_FILE=/opt/CPsuite-R80.40/fw1/cpextensions/log/cpextensions.elg -jar start.jar OPTIONS=Server,resources /opt/CPsuite-R80.40/fw1/cpextensions/conf/cpextensions-jetty-config.xmlcp_extensions
[Expert@SMS-Example:0]# cat /proc/17843/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-Djava.io.tmpdir=/opt/CPsuite-R80.40/fw1/cpextensions/tmp-Dfile.encoding=UTF-8-Djetty.state=/opt/CPsuite-R80.40/fw1/cpextensions/log/jetty.state-DSTOP.PORT=8087-DSTOP.KEY=cpextensions_key-Dlog4j.configuration=file:/opt/CPsuite-R80.40/fw1/cpextensions/conf/cpextensions.log4j.properties-DCPEXTENSIONS_WITHIN_MANAGEMENT_SERVER=1-DRULE_ASSISTANT_CONF_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/conf-DWORKFLOW_CONF_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/conf-DRULE_ASSISTANT_LOG_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/log-DCP_EXTENSIONS_LOG_FILE=/opt/CPsuite-R80.40/fw1/cpextensions/log/cpextensions.elg-jarstart.jarOPTIONS=Server,resources/opt/CPsuite-R80.40/fw1/cpextensions/conf/cpextensions-jetty-config.xml
[Expert@SMS-Example:0]# cat /proc/20666/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_CPM_SOLR=TRUE-Xmx4096m-Xms64m-Xgcpolicy:optavgpause-Djava.io.tmpdir=/opt/CPsuite-R80.40/fw1/tmp-Xaggressive-Xshareclasses:none-Xdump:heap:events=gpf+user-Xdump:directory=/var/log/dump/usermode-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh CPM_SOLR %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh CPM_SOLR %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,priority=1,exec=kill -9 %pid-Dsolr.solr.home=/opt/CPsuite-R80.40/fw1/Solr/solr/-DNGM.SOLR.LOG.DIR=/opt/CPsuite-R80.40/fw1/log-Djava.util.logging.config.file=/opt/CPsuite-R80.40/fw1/Solr/etc/logging.properties-DSTART=/opt/CPsuite-R80.40/fw1/Solr/start.config-Djetty.home=/opt/CPsuite-R80.40/fw1/Solr/-DSTOP.KEY=checkpointkey-DSTOP.PORT=8982-Dpath=/opt/CPsuite-R80.40/fw1/cpm-server/java_is.jar:/opt/CPsuite-R80.40/fw1/cpm-server/java_sic.jar:/opt/CPshrd-R80.40/jars/jetty_assist.jar-jar/opt/CPsuite-R80.40/fw1/Solr/start.jar
[Expert@SMS-Example:0]#
[Expert@SMS-Example:0]# ls -l /proc/2595/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 14 10:52 92 -> /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 14 10:52 94 -> /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
[Expert@SMS-Example:0]# ps -edalf | grep java
4 S admin 2595 1 0 80 0 - 1873700 futex_ Sep25 ? 01:10:22 /opt/CPshrd-R80.40/jre_64/bin/java -Xmx4096m -Xms128m -Xshar
4 S admin 7864 7767 0 80 0 - 1103890 futex_ Sep25 ? 09:49:56 /opt/CPshrd-R80.40/jre_64/bin/java -D_vSEC=TRUE -Xdump:direc
4 S admin 8195 7627 38 99 19 - 32746342 futex_ Sep25 ? 30-09:10:46 /opt/CPshrd-R80.40/jre_64/bin/java -D_solr=TRUE -Xdump:di
4 S admin 8213 7627 0 99 19 - 1190465 futex_ Sep25 ? 02:42:14 /opt/CPshrd-R80.40/jre_64/bin/java -D_RFL=TRUE -Xdump:direct
4 S admin 8238 7627 0 80 0 - 1464978 futex_ Sep25 ? 19:07:42 /opt/CPshrd-R80.40/jre_64/bin/java -D_smartview=TRUE -Xdump:
4 S admin 8724 7627 0 80 0 - 772185 futex_ Sep25 ? 00:00:41 /opt/CPshrd-R80.40/jre_64/bin/java -D_RepositoryManager=TRUE
4 S admin 14275 7627 2 80 0 - 3095046 futex_ Sep25 ? 1-21:49:28 /opt/CPshrd-R80.40/jre_64/bin/java -D_CPM=TRUE -Xaot:force
4 S admin 15413 11940 0 80 0 - 662 pipe_w 11:01 pts/2 00:00:00 grep --color=auto java
4 S admin 17841 1 0 80 0 - 1671 do_wai Oct06 ? 00:00:00 /bin/su -s /bin/sh -c /opt/CPshrd-R80.40/jre_64/bin/java -Dj
4 S cp_exte+ 17843 17841 0 80 0 - 856129 futex_ Oct06 ? 01:07:57 /opt/CPshrd-R80.40/jre_64/bin/java -Djava.io.tmpdir=/opt/CPs
4 S admin 20666 14275 2 80 0 - 2099284 futex_ Sep25 ? 1-18:42:30 /opt/CPshrd-R80.40/jre_64/bin/java -D_CPM_SOLR=TRUE -Xmx40
[Expert@SMS-Example:0]# ls -l /proc/7864/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 13 23:30 194 -> /opt/CPsuite-R80.40/fw1/cpm-server/slf4j-log4j12-1.6.1.jar
lr-x------. 1 admin root 64 Dec 13 23:30 254 -> /opt/CPsuite-R80.40/fw1/cpm-server/log4j-1.2.15.jar
[Expert@SMS-Example:0]# ls -l /proc/8195/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 13 23:30 125 -> /opt/CPrt-R80.40/jars/slf4j-log4j12-1.6.1.jar
lr-x------. 1 admin root 64 Dec 13 23:30 214 -> /opt/CPrt-R80.40/jars/log4j-1.2.15.jar
lr-x------. 1 admin root 64 Dec 13 23:30 234 -> /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 13 23:30 236 -> /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
lr-x------. 1 admin root 64 Dec 13 23:30 273 -> /opt/CPrt-R80.40/tmp/solr-webapp/webapp/WEB-INF/lib/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 13 23:30 647 -> /opt/CPrt-R80.40/tmp/log_indexer_proxy-webapp/webapp/WEB-INF/lib/log4j-1.2.15.jar
lr-x------. 1 admin root 64 Dec 13 23:30 651 -> /opt/CPrt-R80.40/tmp/log_indexer_proxy-webapp/webapp/WEB-INF/lib/slf4j-log4j12-1.6.1.jar
[Expert@SMS-Example:0]# ls -l /proc/8213/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 14 10:52 167 -> /opt/CPrt-R80.40/jars/log4j-1.2.15.jar
lr-x------. 1 admin root 64 Dec 13 23:30 70 -> /opt/CPrt-R80.40/jars/slf4j-log4j12-1.6.1.jar
[Expert@SMS-Example:0]# ls -l /proc/8238/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 14 10:52 135 -> /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 14 10:52 137 -> /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
lr-x------. 1 admin root 64 Dec 14 10:52 231 -> /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8082-smartview.war-_smartview-any-/webapp/WEB-INF/lib/log4j-1.2.15.jar
lr-x------. 1 admin root 64 Dec 14 10:52 242 -> /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8082-smartview.war-_smartview-any-/webapp/WEB-INF/lib/slf4j-log4j12-1.7.6.jar
lr-x------. 1 admin root 64 Dec 13 23:30 361 -> /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8084-smartview-service.war-_smartview-any-/webapp/WEB-INF/lib/log4j-1.2.15.jar
lr-x------. 1 admin root 64 Dec 13 23:30 370 -> /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8084-smartview-service.war-_smartview-any-/webapp/WEB-INF/lib/slf4j-log4j12-1.6.1.jar
[Expert@SMS-Example:0]# ls -l /proc/8724/fd/ | grep log4j
[Expert@SMS-Example:0]# ls -l /proc/14275/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 13 23:30 183 -> /opt/CPsuite-R80.40/fw1/cpm-server/slf4j-log4j12-1.6.1.jar
lr-x------. 1 admin root 64 Dec 13 23:30 243 -> /opt/CPsuite-R80.40/fw1/cpm-server/log4j-1.2.15.jar
[Expert@SMS-Example:0]# ls -l /proc/17841/fd/ | grep log4j
[Expert@SMS-Example:0]# ls -l /proc/17843/fd/ | grep log4j
lr-x------. 1 cp_extensions bin 64 Dec 14 10:52 90 -> /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
lr-x------. 1 cp_extensions bin 64 Dec 14 10:52 92 -> /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
[Expert@SMS-Example:0]# ls -l /proc/20666/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 14 10:52 129 -> /opt/CPsuite-R80.40/fw1/Solr/solr-webapp/webapp/WEB-INF/lib/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 14 10:52 81 -> /opt/CPsuite-R80.40/fw1/Solr/lib/ext/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 14 10:52 83 -> /opt/CPsuite-R80.40/fw1/Solr/lib/ext/slf4j-log4j12-1.7.6.jar
[Expert@SMS-Example:0]# lsof | grep log4j
java 2595 admin 92r REG 253,0 481535 117574685 /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
java 2595 admin 94r REG 253,0 9711 117574687 /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
java 7864 admin 194r REG 253,0 9753 295479 /opt/CPsuite-R80.40/fw1/cpm-server/slf4j-log4j12-1.6.1.jar
java 7864 admin 254r REG 253,0 391834 295473 /opt/CPsuite-R80.40/fw1/cpm-server/log4j-1.2.15.jar
java 8195 admin 125r REG 253,0 9753 168344187 /opt/CPrt-R80.40/jars/slf4j-log4j12-1.6.1.jar
java 8195 admin 214r REG 253,0 391834 168344157 /opt/CPrt-R80.40/jars/log4j-1.2.15.jar
java 8195 admin 234r REG 253,0 481535 117574685 /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
java 8195 admin 236r REG 253,0 9711 117574687 /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
java 8195 admin 273r REG 253,0 481535 33579560 /opt/CPrt-R80.40/tmp/solr-webapp/webapp/WEB-INF/lib/log4j-1.2.16.jar
java 8195 admin 647r REG 253,0 396624 34167338 /opt/CPrt-R80.40/tmp/log_indexer_proxy-webapp/webapp/WEB-INF/lib/log4j-1.2.15.jar
java 8195 admin 651r REG 253,0 10023 34167342 /opt/CPrt-R80.40/tmp/log_indexer_proxy-webapp/webapp/WEB-INF/lib/slf4j-log4j12-1.6.1.jar
java 8213 admin 70r REG 253,0 9753 168344187 /opt/CPrt-R80.40/jars/slf4j-log4j12-1.6.1.jar
java 8213 admin 167r REG 253,0 391834 168344157 /opt/CPrt-R80.40/jars/log4j-1.2.15.jar
java 8238 admin 135r REG 253,0 481535 117574685 /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
java 8238 admin 137r REG 253,0 9711 117574687 /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
java 8238 admin 231r REG 253,0 396624 67270368 /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8082-smartview.war-_smartview-any-/webapp/WEB-INF/lib/log4j-1.2.15.jar
java 8238 admin 242r REG 253,0 9139 67270380 /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8082-smartview.war-_smartview-any-/webapp/WEB-INF/lib/slf4j-log4j12-1.7.6.jar
java 8238 admin 361r REG 253,0 396624 185026096 /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8084-smartview-service.war-_smartview-any-/webapp/WEB-INF/lib/log4j-1.2.15.jar
java 8238 admin 370r REG 253,0 10023 185026105 /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8084-smartview-service.war-_smartview-any-/webapp/WEB-INF/lib/slf4j-log4j12-1.6.1.jar
java 14275 admin 183r REG 253,0 9753 295479 /opt/CPsuite-R80.40/fw1/cpm-server/slf4j-log4j12-1.6.1.jar
java 14275 admin 243r REG 253,0 391834 295473 /opt/CPsuite-R80.40/fw1/cpm-server/log4j-1.2.15.jar
java 17843 cp_extensions 90r REG 253,0 481535 117574685 /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
java 17843 cp_extensions 92r REG 253,0 9711 117574687 /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
java 20666 admin 81r REG 253,0 481535 201367044 /opt/CPsuite-R80.40/fw1/Solr/lib/ext/log4j-1.2.16.jar
java 20666 admin 83r REG 253,0 8869 201367046 /opt/CPsuite-R80.40/fw1/Solr/lib/ext/slf4j-log4j12-1.7.6.jar
java 20666 admin 129r REG 253,0 481535 134561293 /opt/CPsuite-R80.40/fw1/Solr/solr-webapp/webapp/WEB-INF/lib/log4j-1.2.16.jar
[Expert@SMS-Example:0]# lsof | grep log4j-core-2.12.0.jar
Appreciate thoroughness here, @Tobias_Moritz.
For the matter of non-supported Open Source libraries, Check Point is responsible for maintaining and securing the whole set of products, those libraries included.
I can also assure you, there is a very serious effort put into security reviews, and although not without flaws, we do make extraordinary efforts to fix any security issues found.
Hi,
thanks Tobias for your analysis! I wanted to ask a similar question...
For me it also looks like that the JMSAppender.class isn't configured any special.
@_Val_Could you give or will Checkpoint give a official statement regarding CVE-2021-4104?
https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx
br
Ronny
@APT_Protection I am still checking with the relevant teams, but my best guess is, not vulnerable either. That said, once I have full official report, I will share.
@APT_Protection and all, thanks for your patience. The official answer is, none of our products are vulnerable for CVE-2021-4104.
Hi
While Check Point is not vulnerable, may I ask if Check Point is going to release a signature for it? If so, is there ETA?
Thanks.
It's not clear from the CVE that this can be exploited remotely over the network, thus IPS wouldn't necessarily apply.
Thank you for the reply. May I ask if there is any info and signature available for CVE-2021-45105 ? Thanks
Without a known exploit it is not easy to get a signature. We are looking into this.
Harmony Endpoint Management is using the 2.12. libraries though.
Harmony Endpoint also needs connectivity for the clients, so depending on your setup it may be accessible from the internet.
[Expert@SMS:0]# pgrep java | xargs -n 1 lsof -p | grep log4j.*2.12.*
java nnnn cpep_user 68r REG 253,2 64752 67212955 /opt/CPuepm-R81.10/engine/lib/log4j-1.2-api-2.12.0.jar
java nnnn cpep_user 69r REG 253,2 273454 67212956 /opt/CPuepm-R81.10/engine/lib/log4j-api-2.12.0.jar
java nnnn cpep_user 70r REG 253,2 1667294 67212957 /opt/CPuepm-R81.10/engine/lib/log4j-core-2.12.0.jar
java nnnn cpep_user 71r REG 253,2 12653 67212958 /opt/CPuepm-R81.10/engine/lib/log4j-jcl-2.12.0.jar
@Axel_Engeland Same as other management products, not vulnerable.
And yes, I double-checked this with R&D. We use IBM version of Java, which is not vulnerable.
There is an updated version of the exploit available that is supposed to work with ANY version of Java:
Márcio Almeida on Twitter: "Just added support to LDAP Serialized Payloads in the JNDI-Exploit-Kit. ...
IBM Java is not explicitly mentioned there, but in communication inside our task force with the we recommend against assuming protection due to the Java version.
I do not believe it is relevant. See above (quoting myself): "In simple terms, none of our products is using the affected library."
Just curious. Has anyone made a SmartEvent view yet to easier parse through logs?
Yes, this is basically what I have been doing. I was more asking about a view that might include things like IoCs.
Hello CheckMates,
I guess most of you have already seen the fresh CVE-2021-44228 - Log4j vulnerability - Log4Shell and thought about the impact it will have in the enterprise application landscape.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
Maybe we can use this thread to get a first statement from Check Point regarding their products (and later links to SKs) as well as discuss (probably IPS) mitigations.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 19 | |
| 9 | |
| 5 | |
| 5 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 |
Tue 20 May 2025 @ 10:00 AM (IDT)
Building a Scalable Cybersecurity Skill Development Program: 4 Strategies for Success - EMEATue 20 May 2025 @ 05:00 PM (CEST)
Building a Scalable Cybersecurity Skill Development Program: 4 Strategies for Success - AMERTue 20 May 2025 @ 12:00 PM (EDT)
Configuring Domain-based Site to Site VPN with Azure Virtual WAN and CloudGuard Network SecurityWed 21 May 2025 @ 05:00 PM (CEST)
TechTalk: Detecting Threats Across the Open, Deep and Dark Web With Infinity ERMTue 20 May 2025 @ 10:00 AM (IDT)
Building a Scalable Cybersecurity Skill Development Program: 4 Strategies for Success - EMEATue 20 May 2025 @ 05:00 PM (CEST)
Building a Scalable Cybersecurity Skill Development Program: 4 Strategies for Success - AMERTue 20 May 2025 @ 12:00 PM (EDT)
Configuring Domain-based Site to Site VPN with Azure Virtual WAN and CloudGuard Network SecurityWed 21 May 2025 @ 05:00 PM (CDT)
TechTalk: Detecting Threats Across the Open, Deep and Dark Web With Infinity ERMThu 22 May 2025 @ 03:00 PM (CEST)
Speed, Scale, and SASE: Reimagining Network Security - EMEAThu 22 May 2025 @ 02:00 PM (EDT)
Speed, Scale, and SASE: Reimagining Network Security - AmericasAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
.png "Wolfgang"){kind=avatar}
