Differences

This shows you the differences between two versions of the page.

--- public:announcement:cve-2021-44228_log4j [2021/12/15 17:07]
kirk.lim
+++ public:announcement:cve-2021-44228_log4j [2022/12/01 12:05] (current)
kirk.lim
@@ Line 1: / Line 1: @@
 ====== Ahsay Advisory - Log4j vulnerability (CVE-2021-44228) ======
-<html><br/><br/></html>
-**Announcement date:** 2021-12-13
-<color #ed1c24>The current public release of AhsayCBS is v8.5.4.86 (as of 2021-Oct-11). Hotfixes are an Ahsay Partner Portal exclusive, found on www.ahsay.com/partners.</color>
+**Revised:** 2022-12-01
+<html>
+<br><br>
+<FONT COLOR=#ed1c24>As of 2022-Jan-25, v9.1.0.0 is newest version, introducing Deduplication. </FONT> All Log4j binaries has been removed from AhsayCBS and OBM/ACB clients.
+<br><br>
+<FONT COLOR=#ed1c24>As of 2022-May-24, the latest Version 8 public release is v8.7.0.0. </FONT>  In this release, all Log4j binaries has been replaced with "152-bytes" innocuous file, with system routine to remove.  [UPDATE: 2022-11-21, hotfix v8.7.0.19 will handle log4j binary removal in the OBM/ACB "aua" directory (ref#35723).]  <!--<B>Stay tuned for future Version 8, to be released in the coming weeks that will include all Version 8 hotfixes and removal of Log4j binaries.</B>-->
+<br><br>
+<hr>
+<br>
+</html>
-  * AhsayCBS, AhsayOBM, AhsayACB, AhsayUBS **version 8.5.4.86 (and above)** <color #ed1c24>**are not vulnerable**</color> to CVE-2021-44228 (Log4j vulnerability).
+<html>
+<TABLE BORDER=1><TR><TD>
+<br/>
+<!--<FONT COLOR=#ed1c24>The current public release of AhsayCBS is v8.5.4.86 (as of 2021-Oct-11). </FONT>
+-->
+ Hotfixes are an Ahsay Partner Portal exclusive, found on <A HREF=https://www.ahsay.com/partners>www.ahsay.com/partners</A>.
+<br/>
+</html>
+**Announcement date:** 2021-12-13
+**Revised:** 2021-12-17
+  * AhsayOBS (v6), AhsayOBSR (v6), AhsayCBS (v7/v8), AhsayOBM (v7/v8), AhsayACB (v7/v8), AhsayUBS (v6/v7/v8) are **not vulnerable** to CVE-2021-44228 (Log4j vulnerability).
 <html><ul><ul>
-    The version of Log4j Ahsay products bundled does not contain the JNDILookup plugin and is not one of the affected versions. Also, remote logging feature and all logging had been disabled for Log4j Logger (set to OFF).
+    While the Log4j binaries exist, the version of Log4j Ahsay products bundled does not contain the JNDILookup plugin and is not one of the affected versions.
+<br>
+    Related, <FONT COLOR=#C4500E>applicable only for AhsayCBS v8.5.4.86+, the remote logging feature and all logging had been disabled for Log4j Logger (set to OFF).</FONT>
+    <BR><BR>However, <FONT COLOR=red>pre-v8.5.4.86 AhsayCBS versions may be vulnerable to other vulnerabilities not associated with this CVE.</FONT> There are <B>critical</B> vulnerabilities with certain Ahsay versions, as described in <A HREF=https://wiki.ahsay.com/doku.php?id=public:announcement:critical_vulnerability_in_ahsaycbs_v7_and_v8>Ahsay Security Advisory (#26030)</A>
 <!--    (<B>UPDATE INFO</B>: @2021-12-13, for Partner's peace of mind we will soon release a hotfix that will completely remove Log4j binaries. Check the Ahsay Partner Portal for its release in a few days.)
+    <BR><BR>
+    <FONT COLOR=red>Separately, there are <B>critical</B> vulnerabilities with certain Ahsay versions, as described in <A HREF=https://wiki.ahsay.com/doku.php?id=public:announcement:critical_vulnerability_in_ahsaycbs_v7_and_v8>Ahsay Security Advisory (#26030)</A>
+    </FONT>
 -->
-    <BR><BR><B>NOTE:</B> If you are running an older version, we recommend to CBS Administrators to stay up to date and upgrade to the most recent release.
-    There may have been fixes for other critical bugs or vulnerabilities that have since been patch, we are unable to relist each past CBS version's history here, but you can refer to each version's Release Notes on <A HREF=https://wiki.ahsay.com>Ahsay Wiki</A>.
-</ul></ul></html>
+    <BR><BR><B>NOTE:</B> If you are running any earlier version than the current release, <U>it is <b>highly advised</b> to CBS Administrators to stay up to date and upgrade to the most recent release.</U>
+    There may have been fixes for other critical bugs or vulnerabilities that have since been patched, we are unable to relist each past CBS version's history here, but you can refer to each version's Release Notes on <A HREF=https://wiki.ahsay.com>Ahsay Wiki</A>.
-  * AhsayCBS, AhsayOBM, AhsayACB, AhsayUBS **version 7.17.2.2 with [[https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_hotfix-v7|Hotfix 7.17.2.127+]] and  prior versions (v6.29.x)** <color #ed1c24>**are not vulnerable**</color>.  (Refer to [[https://wiki.ahsay.com/doku.php?id=public:announcement:cve-2021-44228_log4j&do=edit#eol_reminder|EOL Reminder]])
+</ul></ul></html>
   * **AhsayPRD 2.0 is not vulnerable**.
@@ Line 23: / Line 51: @@
   * **Ahsay Mobile 1.6+ is not vulnerable**.
-  * AhsayMOB is unsupported.
+  * AhsayMOB is EOL and unsupported.
+<html>
+<!--
+</TD></TR></TABLE>
+-->
+</html>
 <html><br/><br/></html>
@@ Line 46: / Line 79: @@
   * If you are running AhsayOBS or AhsayOBSR (v6.x), read "Best Practice for AhsayOBS to AhsayCBS Upgrade and Data Migration" (https://www.ahsay.com/download/download_document_v8_cbs-upgrade-key-steps.jsp)
+<html>
+</TD></TR></TABLE>
+</html>

User Tools

Site Tools

Differences

Page Tools