Log4j Zero Day Vulnerability – Tracked as CVE-2021-44228

Homepage Clovertech Forums Cloverleaf Log4j Zero Day Vulnerability – Tracked as CVE-2021-44228

  • Creator
    Topic
  • #119423
    Don Martin
    Participant

    Our Cyber Security team has alerted us to a zero day vulnerability in Log4j, and I’ve looked into whether or not our Cloverleaf interface engine is affected by this vulnerability. It turns out we are on a version of CL that uses Log4j version 1.2.17 and thus appear to not be affected, as only versions >=2.0-beta9 and <=2.14 are listed in the exploit published on github.

    However, the GitHub page did post the following statement about previous versions of Log4j, which seems a little concerning.
    The version of 1.x have other vulnerabilities, we recommend that you update the latest version (of Log4j).

    Are there any other organizations out there that have been looking at this issue and can share there comments? Does Infor have any comments they can share?

    Thanks,
    Don

Viewing 5 reply threads
  • Author
    Replies
    • #119427
      Rob Abbott
      Keymaster

      Hi Don

      We’ll have a statement out soon – hopefully later today.

      Some quick notes while the draft statement is under review:

      As you note we ship version 1 of log4j which does not contain this vulnerability. It is an old version and we’ll evaluate upgrading it in a future release.

      A known vulnerability in v1 https://logging.apache.org/log4j/1.2/ is in the log4j socket server which we do not use.

      We do intensive source code scans, penetration tests, and vulnerability tests before each release and so far none of these have indicated vulnerabilities with our use of log4j v1.

      Thank you

      Rob Abbott
      Cloverleaf Emeritus

    • #119428
      Rob Abbott
      Keymaster

      Statement regarding this issue is now available on the Infor Support portal knowledge base:

      https://support.infor.com/espublic/EN/AnswerLinkDotNet/SoHo/Solutions/SoHoViewSolution.aspx?SolutionID=2228969

      Rob Abbott
      Cloverleaf Emeritus

    • #119429
      Don Martin
      Participant

      Thanks Rob, appreciate the quick reply!

      Don

    • #119438
      Ab Lugtenburg
      Participant

      Hi Rob,

      Just one quick question in this research of inform it involves also the webserver use for the api ?
      Just asking because we use this once a day and so the webserver is running

    • #119445
      Rob Abbott
      Keymaster

      Hi Ab I don’t quite understand your question.

      The webserver that hosts the CLAPI uses log4j core v1 which is not vulnerable to CVE-2021-44228.

      Rob Abbott
      Cloverleaf Emeritus

    • #119467
      lauri buijs
      Participant

      Hi Rob,

      Just a quick follow up question:

      You state : “It is an old version and we’ll evaluate upgrading it in a future release.”
      Is there any timeframe we can expect for this?

      As version 1 is not longer supported and other (minor) vulnerabilities exist in this product?

      Hope to hear from you soon!
      Merry Christmas,

      Lauri

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Forum Statistics

Registered Users
5,127
Forums
28
Topics
9,299
Replies
34,443
Topic Tags
288
Empty Topic Tags
10