QID 376246

Date Published: 2022-01-19

QID 376246: Ping Identity PingAccess Affected By Apache Log4j Vulnerability (Log4Shell)

PingAccess is a centralized access security solution with a comprehensive policy engine. It provides secure access to applications and APIs down to the URL level, and ensures that only authorized users access the resources they need.

Affected Versions:
All versions of PingAccess prior to version 7.0.1 are potentially vulnerable to Log4Shell vulnerability

QID Detection Logic (Authenticated):
This QID checks for vulnerable versions of PingAccess by checking the version from Windows registry.

Successful exploitation of the vulnerability may allow remote code execution and complete system compromise.

  • CVSS V3 rated as Critical - 10 severity.
  • CVSS V2 rated as Critical - 9.3 severity.
  • Solution
    Customers are advised to update to PingAccess version 7.0.1 or later. For more info please refer to Ping Identity Security Advisory

    Workaround:
    Download the zip file attached to the advisory: "pingaccess-log4j2-2.12.3-update.zip".
    Unzip this package and follow the instructions in the included README.txt to apply this update to your PingAccess systems.
    A service restart is required after applying this update.

    Vendor References

    CVEs related to QID 376246

    Software Advisories
    Advisory ID Software Component Link
    NA URL Logo support.pingidentity.com/s/article/Log4j2-vulnerability-CVE-CVE-2021-44228