Zyxel security advisory for Apache Log4j RCE vulnerabilities

CVEs: CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105


Zyxel is aware of remote code execution (RCE) vulnerabilities in Apache Log4j and confirms that among all its product lines, ONLY NetAtlas Element Management System (EMS) is affected. Users are advised to install the applicable updates for optimal protection.


What is the vulnerability?

  • CVE-2021-44228

    Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. If the server uses a vulnerable Log4j to log requests, an attacker who can control log messages or log message parameters can execute arbitrary codes loaded from LDAP servers when message lookup substitution is enabled. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted request to a server running a vulnerable version of Log4j.

  • CVE-2021-45046

    This issue addresses an incomplete fix for CVE-2021-44228 in Apache Log4j version 2.15.0. The flaw could be abused by an attacker to craft malicious input data using a JNDI Lookup pattern resulting in a denial-of-service (DoS) attack.

  • CVE-2021-4104

    JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data. This flaw allows a remote attacker to execute arbitrary codes on the server if the deployed application is configured to use JMSAppender.

  • CVE-2021-45105

    The issue affects Apache Log4j versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) that could allow an attacker with control over Thread Context Map data to cause a denial of service (DoS) when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.


What versions are vulnerable-and what should you do?

After a thorough investigation, we’ve identified only one vulnerable product that is within its warranty and support period, and we will release a hotfix and a patch to address the issue, as shown in the table below. If a product is not listed, it is not affected.

Affected by Affected model Hotfix availability Patch availability
NetAtlas Element Management System (EMS) Dec. 20, 2021* V02.02.13(AAVV.221)C0 in end of Feb. 2022*
*Please reach out to your local Zyxel support team for the file.

Update on Jan. 21, 2022

Recent research suggested that the Mirai botnet is abusing the Log4j vulnerability, which indicated that there were scanners in the wild looking for vulnerable Log4j devices from affected vendors.

As the NetAtlas EMS is typically used by internet service providers to manage central office equipment in isolated networks, the attack surface is relatively small. We urge users to install the applicable updates immediately for optimal protection.


Got a question or a tipoff?

If you are an ISP with customized models, please contact your Zyxel sales or service representative for further information or assistance.


Revision history

2021-12-14: Initial release

2021-12-16: Update CVE IDs, vulnerable model, and its patch

2021-12-22: Update CVE IDs

2022-1-21: Update response to recent research on Mirai botnet