Skip to Main Content

Legal

Log4j Vulnerability Update

Early December 2021, vulnerabilities were reported in the Apache Log4j libraries from 2.0 to 2.15, which could compromise the systems running it, allowing an attacker to execute arbitrary code.

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228 (December 9)
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 (December 14)

Fresche Solutions is conducting a product-by-product review to identify any potential risks or impacts by the reported remote code execution vulnerability in the Apache Log4j utility.

Below is a list of the products we’ve evaluated and their status related to the Apache Log4j utility vulnerabilities:

A special Fresche knowledge base article has also been set up within the customer portal that contains additional details, product download information and reference material.

Products Impacted

Updated information on how to resolve the Log4j utility vulnerability can be found for each impacted product on the links below:

Products not impacted

Fresche’s initial analysis has determined that the following Fresche Products are not susceptible to the Log4j 2.x vulnerabilities.

      • AMXW
      • Autobahn and Speedweb
      • Catapult/Spool-Explorer
      • Esperant
      • FastFax/Formtastic
      • Media
      • N-Focus
      • Newlook and Openlook
      • Nexus
      • OpenERP
      • Presto
      • ProGen, File-Flash Plus, DB-Gen and Documint
      • SoftBase
      • X-Replay

 

Fresche’s recommendations to its clients:

We highly recommend companies running Apache Log4j take the following actions:

      • Monitor this page regularly for remediation directives regarding your Fresche Solutions products as they become available.
      • Our analysis covers Fresche products, we highly recommend you check for vulnerable versions of Apache Log4j in your environments and applications. Reference material can be found on the Apache.orgLog4j Security Vulnerability page

The Apache Log4j utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version from 2.0 to 2.15 could be compromised and allow an attacker to execute arbitrary code.

On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228 [https://nvd.nist.gov/vuln/detail/CVE-2021-44228]. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.

If you have workloads you believe may be vulnerable, you can read further details on the NIST website https://nvd.nist.gov/vuln/detail/CVE-2021-44228