Security

Post category icon

Security

Edifecs Update On Apache Log4j Vulnerability

December 16, 2021

Updated December 17th: Edifecs has updated release plans for remediation of all affected solutions/products on the Edifecs ServiceDesk: Edifecs Release Plans for remediating the log4j2 vulnerability. Release plans will continue to be updated regularly and as remediation becomes available for each solution/product., A release notification for download notification and install instructions will be sent via a mass email to all users subscribed to our mailing lists.

Edifecs is actively responding to CVE-2021-44228, the reported remote code execution vulnerability in the Apache Log4j2 Java library dubbed Log4Shell (or LogJam). This is affecting most major Java-based applications through a vulnerable version of the Java logging library, Log4j. The vulnerable system can be exploited by logging a specific string into their internal systems, which can then force a download and run a malicious script from the attacker’s domain.

Once we became aware of the CVE, our Security Operations launched an investigation and ran extensive scans across both our corporate and production environments. We are happy to report that no exploitable Log4j2 vulnerabilities have been found in these environments and access to unauthorized connections continue to be strictly restricted. Based on our scans, this incident has not had any impact on our SaaS and hosted solutions.

On Dec. 14th, the Edifecs Security Operations team implemented the suggested mitigation from Apache (published here: https://logging.apache.org/log4j/2.x/security.html. A second scan verified that the vulnerability cannot be exploited. While this is not full mitigation, the Apache suggested configuration prevents the offending class to be instantiated reducing the risk of any threat.

Late on December 14th, a new CVE-2021-45046 was announced. Apache has since then published a new log4j2 library that is now the recommended remediation for full mitigation as remote Code Execution was still possible using the v2.15 binaries.

For any further questions or assistance, please feel free to reach out to our Product Support team via the Edifecs ServiceDesk: https://support.edifecs.com or send an email to support@edifecs.com or call us at: 1-855-333-4462 and we’d be happy to help. We recommend to monitor this page for the latest updates and recommendations.

We want you to know that we take this and all security vulnerabilities seriously. We hope this information helps you to rest easy knowing that we take your solution and operational security seriously. More updates will be published on our response page: Edifecs Update on Apache Log4j Vulnerability and the Edifecs ServiceDesk portal: https://support.edifecs.com.

Useful links:
https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046