Sticky

Apache Log4j Security Vulnerability issue

  • 14 December 2021
  • 1 reply
  • 136 views

Badge +1

Updated: 30-12-2021 17:15

Over the past few weeks, you may have read the many news items concerning the major security vulnerability in the Apache Log4j 2-library.

This critical vulnerability in the Apache Log4j 2-library makes remote code execution possible, which gives malicious parties the ability to remotely inject and execute arbitrary code with the rights of the java application. Because this software is widely used, the risk is severe. In fact, this vulnerability has already been assessed with a risk score of 10 (the most critical level).

For more detailed information on the vulnerabilities, please refer to the CVE articles CVE-2021-44228 , CVE-2021-45046, CVE-2021-44832.  

Since Sunday December 12th, we continue to follow the developments about this vulnerability in the Apache Log4j 2-library. We have concluded that this component is used in the USoft Services Framework and Page Engine for the USoft 10 and USoft 9.1 version. Log4j libraries are not used in USoft 9.0 and lower versions.

Furthermore, there are no risks in cases where logging is handled behind a Web Application Firewall. I.e. as long as no direct external access to logging services is enabled in e.g. a (3rd party) logging farm.

 

What did we do?

Following the initial news regarding this vulnerability issue, USoft released an updated version for USoft 9.1 and USoft 10 that include an update to the Apache Log4j 2.17 library on Wednesday December 22th. As mentioned, USoft version 9.0 and older are not affected by this vulnerability.  

This week we unfortunately became aware that the Apache Log4j 2.17 library is again updated with a newer 2.17.1 version due to additional risks imposed by CVE-2021-44832.

It is important to emphasize that though USoft makes use of Apache Log4j libraries, the USoft platform and USoft Studio are not exposed to the exploits that are currently addressed as high risk (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832). 

In order to service our customers and partners the best way possible, we are working on new fixes for both USoft 9.1 and USoft 10. These will be updated with the latest Apache Log4j 2.17 library. These fixes are made available on Thursday December 30th.  
 
With regards to USoft Studio we wish to inform you that this product also uses an Apache Log4j 2-library, which is also updated to the 2.17 version on Wednesday December 22nd.
 

USoft will keep monitoring developments regarding this issue. When there are any relevant new developments about this issue, we will inform our customers and partners via email and our community platform.  

Beside these important actions, we wish you to know that our Intrusion Detection and Intrusion Prevention systems actively work on detecting and preventing malicious queries, including the recent log4j exploits. USoft Studio and all its users are continuously guarded from such attacks before they can show up on our servers.
 

What can you do?

The most important thing is to download and install the USoft 10.0.1C_2171 release or the USoft 9.1.1U release as soon as possible. In addition, we strongly recommend that you check whether logging is handled behind a Web Application Firewall or your IDS/IPS system. If this is not the case, we strongly advise you to check whether unauthorized access to the logging has taken place and to ensure that logging takes place behind a Web Application Firewall or IDS/IPS system until the updated USoft version is installed.

In addition, when you have any questions concerning your specific USoft application, application architecture and infrastructure, please do not hesitate to contact us directly. Our experts are available to assist in evaluating your situation and provide additional advice or support when needed.

Finally, it is strongly advised to assess whether your organization is subject to any additional risks as a result of this security vulnerability. When this is the case, please ensure that you update your Apache Log4j 2-labraries to the latest  Apache Log4j 2 version as soon as possible.

 

We remain available for your assistance

Please do not hesitate to contact us  with any questions or comments you may have. Our customer success team is ready to answer your questions.

 


1 reply

Apache Log4j 2-library, version 2.16 also contains Security Vulnerabilities, according to 

https://logging.apache.org/log4j/2.x/security.html, there should be risk of denial of service. 

 

Are you considering to release new USoft versions with the Apache Log4j 2-library, version 2.17 ?

Reply