public:announcement:cve-2021-44228_log4j
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
public:announcement:cve-2021-44228_log4j [2021/12/13 21:24] kirk.lim |
public:announcement:cve-2021-44228_log4j [2022/12/01 12:05] (current) kirk.lim |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Ahsay Advisory - Log4j vulnerability (CVE-2021-44228) ====== | ====== Ahsay Advisory - Log4j vulnerability (CVE-2021-44228) ====== | ||
| - | <html><br/><br/></html> | ||
| - | **Announcement date:** 2021-12-13 | ||
| - | <color #ed1c24>The current public release of AhsayCBS is v8.5.4.86 (as of 2021-Oct-11). Hotfixes are an Ahsay Partner Portal exclusive, found on www.ahsay.com/partners.</color> | + | **Revised:** 2022-12-01 |
| + | <html> | ||
| + | <br><br> | ||
| + | <FONT COLOR=#ed1c24>As of 2022-Jan-25, v9.1.0.0 is newest version, introducing Deduplication. </FONT> All Log4j binaries has been removed from AhsayCBS and OBM/ACB clients. | ||
| + | <br><br> | ||
| + | <FONT COLOR=#ed1c24>As of 2022-May-24, the latest Version 8 public release is v8.7.0.0. </FONT> In this release, all Log4j binaries has been replaced with "152-bytes" innocuous file, with system routine to remove. [UPDATE: 2022-11-21, hotfix v8.7.0.19 will handle log4j binary removal in the OBM/ACB "aua" directory (ref#35723).] <!--<B>Stay tuned for future Version 8, to be released in the coming weeks that will include all Version 8 hotfixes and removal of Log4j binaries.</B>--> | ||
| + | <br><br> | ||
| + | <hr> | ||
| + | <br> | ||
| + | </html> | ||
| - | * AhsayCBS, AhsayOBM, AhsayACB, AhsayUBS **version 8.5.4.86 (and above)** <color #ed1c24>**are not vulnerable**</color> to CVE-2021-44228 (Log4j vulnerability). | + | <html> |
| + | <TABLE BORDER=1><TR><TD> | ||
| + | <br/> | ||
| + | <!--<FONT COLOR=#ed1c24>The current public release of AhsayCBS is v8.5.4.86 (as of 2021-Oct-11). </FONT> | ||
| + | --> | ||
| + | Hotfixes are an Ahsay Partner Portal exclusive, found on <A HREF=https://www.ahsay.com/partners>www.ahsay.com/partners</A>. | ||
| + | <br/> | ||
| + | </html> | ||
| + | |||
| + | **Announcement date:** 2021-12-13 | ||
| + | |||
| + | **Revised:** 2021-12-17 | ||
| + | |||
| + | * AhsayOBS (v6), AhsayOBSR (v6), AhsayCBS (v7/v8), AhsayOBM (v7/v8), AhsayACB (v7/v8), AhsayUBS (v6/v7/v8) are **not vulnerable** to CVE-2021-44228 (Log4j vulnerability). | ||
| <html><ul><ul> | <html><ul><ul> | ||
| - | The version of Log4j Ahsay products bundled does not contain the JNDILookup plugin and is not one of the affected versions. Also, remote logging feature and all logging had been disabled for Log4j Logger (set to OFF) (CVE-2019-17571). | + | While the Log4j binaries exist, the version of Log4j Ahsay products bundled does not contain the JNDILookup plugin and is not one of the affected versions. |
| - | (<B>UPDATE INFO</B>: @2021-12-13, for Partner's peace of mind we will soon release a hotfix that will completely remove Log4j binaries. Check the Ahsay Partner Portal for its release in a few days.) | + | <br> |
| - | </ul></ul></html> | + | Related, <FONT COLOR=#C4500E>applicable only for AhsayCBS v8.5.4.86+, the remote logging feature and all logging had been disabled for Log4j Logger (set to OFF).</FONT> |
| - | * AhsayCBS, AhsayOBM, AhsayACB, AhsayUBS **version 7.17.2.127+ and prior versions (v6.29.x)** <color #ed1c24>**are not vulnerable**</color>. | + | <BR><BR>However, <FONT COLOR=red>pre-v8.5.4.86 AhsayCBS versions may be vulnerable to other vulnerabilities not associated with this CVE.</FONT> There are <B>critical</B> vulnerabilities with certain Ahsay versions, as described in <A HREF=https://wiki.ahsay.com/doku.php?id=public:announcement:critical_vulnerability_in_ahsaycbs_v7_and_v8>Ahsay Security Advisory (#26030)</A> |
| + | |||
| + | |||
| + | <!-- (<B>UPDATE INFO</B>: @2021-12-13, for Partner's peace of mind we will soon release a hotfix that will completely remove Log4j binaries. Check the Ahsay Partner Portal for its release in a few days.) | ||
| + | <BR><BR> | ||
| + | <FONT COLOR=red>Separately, there are <B>critical</B> vulnerabilities with certain Ahsay versions, as described in <A HREF=https://wiki.ahsay.com/doku.php?id=public:announcement:critical_vulnerability_in_ahsaycbs_v7_and_v8>Ahsay Security Advisory (#26030)</A> | ||
| + | </FONT> | ||
| + | --> | ||
| + | |||
| + | <BR><BR><B>NOTE:</B> If you are running any earlier version than the current release, <U>it is <b>highly advised</b> to CBS Administrators to stay up to date and upgrade to the most recent release.</U> | ||
| + | There may have been fixes for other critical bugs or vulnerabilities that have since been patched, we are unable to relist each past CBS version's history here, but you can refer to each version's Release Notes on <A HREF=https://wiki.ahsay.com>Ahsay Wiki</A>. | ||
| + | |||
| + | </ul></ul></html> | ||
| * **AhsayPRD 2.0 is not vulnerable**. | * **AhsayPRD 2.0 is not vulnerable**. | ||
| Line 19: | Line 51: | ||
| * **Ahsay Mobile 1.6+ is not vulnerable**. | * **Ahsay Mobile 1.6+ is not vulnerable**. | ||
| - | * AhsayMOB is unsupported. | + | * AhsayMOB is EOL and unsupported. |
| + | <html> | ||
| + | <!-- | ||
| + | </TD></TR></TABLE> | ||
| + | --> | ||
| + | </html> | ||
| <html><br/><br/></html> | <html><br/><br/></html> | ||
| ==== EOL Reminder: ==== | ==== EOL Reminder: ==== | ||
| - | **For v7.x**, starting on 2021-06-30 Ahsay announced that Version 7 is progressively desupported and will EOL on 2022-01-01. No further enhancements, development, or hotfixes will be created. https://wiki.ahsay.com/doku.php?id=public:announcement:ahsay_v7_eol | + | **For v7.x**, starting on 2021-06-30 Ahsay announced that Version 7 is progressively desupported and will EOL on 2022-01-01. No further enhancements, development, or hotfixes will be created. https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_previous_cbs-v7-eol |
| **For v6.x**, on 2018-07-16 Ahsay announced that Version 6 is EOL 2018-12-31. No further enhancements, development, or hotfixes would be made. https://www.ahsay.com/blog/2018/07/16/ahsay-v6-best-effort-support/ | **For v6.x**, on 2018-07-16 Ahsay announced that Version 6 is EOL 2018-12-31. No further enhancements, development, or hotfixes would be made. https://www.ahsay.com/blog/2018/07/16/ahsay-v6-best-effort-support/ | ||
| Line 38: | Line 75: | ||
| * If you are running AhsayUBS (v8.x), https://wiki.ahsay.com/doku.php?id=public:8026_faq:how_to_install_the_latest_patch_set_for_ahsayubs | * If you are running AhsayUBS (v8.x), https://wiki.ahsay.com/doku.php?id=public:8026_faq:how_to_install_the_latest_patch_set_for_ahsayubs | ||
| - | * If you are running AhsayCBS (v7.x), https://wiki.ahsay.com/doku.php?id=public:5145_faq:how_to_install_the_latest_patch_set_for_ahsaycbs | + | * If you are running AhsayCBS (v7.x), https://wiki.ahsay.com/doku.php?id=public:announcement:critical_vulnerability_in_ahsaycbs_v7_and_v8 |
| - | * If you are running AhsayUBS (v7.x), https://wiki.ahsay.com/doku.php?id=public:5237_faq:how_to_install_the_latest_patch_set_for_ahsayubs_version_7 | + | * If you are running AhsayUBS (v7.x), https://wiki.ahsay.com/doku.php?id=public:announcement:critical_vulnerability_in_ahsaycbs_v7_and_v8 |
| * If you are running AhsayOBS or AhsayOBSR (v6.x), read "Best Practice for AhsayOBS to AhsayCBS Upgrade and Data Migration" (https://www.ahsay.com/download/download_document_v8_cbs-upgrade-key-steps.jsp) | * If you are running AhsayOBS or AhsayOBSR (v6.x), read "Best Practice for AhsayOBS to AhsayCBS Upgrade and Data Migration" (https://www.ahsay.com/download/download_document_v8_cbs-upgrade-key-steps.jsp) | ||
| + | |||
| + | |||
| + | <html> | ||
| + | </TD></TR></TABLE> | ||
| + | </html> | ||
public/announcement/cve-2021-44228_log4j.1639401861.txt.gz · Last modified: 2021/12/13 21:24 by kirk.lim