public:announcement:cve-2021-44228_log4j
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
public:announcement:cve-2021-44228_log4j [2021/12/17 16:41] kirk.lim |
public:announcement:cve-2021-44228_log4j [2022/12/01 12:05] (current) kirk.lim |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Ahsay Advisory - Log4j vulnerability (CVE-2021-44228) ====== | ====== Ahsay Advisory - Log4j vulnerability (CVE-2021-44228) ====== | ||
| + | |||
| + | **Revised:** 2022-12-01 | ||
| <html> | <html> | ||
| - | <br/><FONT COLOR=#ed1c24>The current public release of AhsayCBS is v8.5.4.86 (as of 2021-Oct-11). </FONT> Hotfixes are an Ahsay Partner Portal exclusive, found on <A HREF=https://www.ahsay.com/partners>www.ahsay.com/partners</A>. | + | <br><br> |
| + | <FONT COLOR=#ed1c24>As of 2022-Jan-25, v9.1.0.0 is newest version, introducing Deduplication. </FONT> All Log4j binaries has been removed from AhsayCBS and OBM/ACB clients. | ||
| + | <br><br> | ||
| + | <FONT COLOR=#ed1c24>As of 2022-May-24, the latest Version 8 public release is v8.7.0.0. </FONT> In this release, all Log4j binaries has been replaced with "152-bytes" innocuous file, with system routine to remove. [UPDATE: 2022-11-21, hotfix v8.7.0.19 will handle log4j binary removal in the OBM/ACB "aua" directory (ref#35723).] <!--<B>Stay tuned for future Version 8, to be released in the coming weeks that will include all Version 8 hotfixes and removal of Log4j binaries.</B>--> | ||
| + | |||
| + | <br><br> | ||
| + | <hr> | ||
| + | <br> | ||
| + | </html> | ||
| + | |||
| + | <html> | ||
| + | <TABLE BORDER=1><TR><TD> | ||
| + | <br/> | ||
| + | <!--<FONT COLOR=#ed1c24>The current public release of AhsayCBS is v8.5.4.86 (as of 2021-Oct-11). </FONT> | ||
| + | --> | ||
| + | Hotfixes are an Ahsay Partner Portal exclusive, found on <A HREF=https://www.ahsay.com/partners>www.ahsay.com/partners</A>. | ||
| <br/> | <br/> | ||
| </html> | </html> | ||
| Line 9: | Line 26: | ||
| **Revised:** 2021-12-17 | **Revised:** 2021-12-17 | ||
| - | |||
| * AhsayOBS (v6), AhsayOBSR (v6), AhsayCBS (v7/v8), AhsayOBM (v7/v8), AhsayACB (v7/v8), AhsayUBS (v6/v7/v8) are **not vulnerable** to CVE-2021-44228 (Log4j vulnerability). | * AhsayOBS (v6), AhsayOBSR (v6), AhsayCBS (v7/v8), AhsayOBM (v7/v8), AhsayACB (v7/v8), AhsayUBS (v6/v7/v8) are **not vulnerable** to CVE-2021-44228 (Log4j vulnerability). | ||
| Line 15: | Line 31: | ||
| While the Log4j binaries exist, the version of Log4j Ahsay products bundled does not contain the JNDILookup plugin and is not one of the affected versions. | While the Log4j binaries exist, the version of Log4j Ahsay products bundled does not contain the JNDILookup plugin and is not one of the affected versions. | ||
| <br> | <br> | ||
| - | Next, <FONT COLOR=#C4500E>applicable only for AhsayCBS v8.5.4.86+, the remote logging feature and all logging had been disabled for Log4j Logger (set to OFF).</FONT> Pre-v8.5.4.86 AhsayCBS versions may be vulnerable to other vulnerabilities not associated with this CVE. | + | Related, <FONT COLOR=#C4500E>applicable only for AhsayCBS v8.5.4.86+, the remote logging feature and all logging had been disabled for Log4j Logger (set to OFF).</FONT> |
| + | |||
| + | <BR><BR>However, <FONT COLOR=red>pre-v8.5.4.86 AhsayCBS versions may be vulnerable to other vulnerabilities not associated with this CVE.</FONT> There are <B>critical</B> vulnerabilities with certain Ahsay versions, as described in <A HREF=https://wiki.ahsay.com/doku.php?id=public:announcement:critical_vulnerability_in_ahsaycbs_v7_and_v8>Ahsay Security Advisory (#26030)</A> | ||
| <!-- (<B>UPDATE INFO</B>: @2021-12-13, for Partner's peace of mind we will soon release a hotfix that will completely remove Log4j binaries. Check the Ahsay Partner Portal for its release in a few days.) | <!-- (<B>UPDATE INFO</B>: @2021-12-13, for Partner's peace of mind we will soon release a hotfix that will completely remove Log4j binaries. Check the Ahsay Partner Portal for its release in a few days.) | ||
| - | --> | ||
| <BR><BR> | <BR><BR> | ||
| - | <FONT COLOR=red>However, there are <B>critical</B> vulnerabilities with certain Ahsay versions, as described in <A HREF=https://wiki.ahsay.com/doku.php?id=public:announcement:critical_vulnerability_in_ahsaycbs_v7_and_v8>Ahsay Security Advisory (#26030)</A> | + | <FONT COLOR=red>Separately, there are <B>critical</B> vulnerabilities with certain Ahsay versions, as described in <A HREF=https://wiki.ahsay.com/doku.php?id=public:announcement:critical_vulnerability_in_ahsaycbs_v7_and_v8>Ahsay Security Advisory (#26030)</A> |
| </FONT> | </FONT> | ||
| + | --> | ||
| - | <BR><BR><B>NOTE:</B> If you are running an earlier version, we recommend to CBS Administrators to stay up to date and upgrade to the most recent release. | + | <BR><BR><B>NOTE:</B> If you are running any earlier version than the current release, <U>it is <b>highly advised</b> to CBS Administrators to stay up to date and upgrade to the most recent release.</U> |
| There may have been fixes for other critical bugs or vulnerabilities that have since been patched, we are unable to relist each past CBS version's history here, but you can refer to each version's Release Notes on <A HREF=https://wiki.ahsay.com>Ahsay Wiki</A>. | There may have been fixes for other critical bugs or vulnerabilities that have since been patched, we are unable to relist each past CBS version's history here, but you can refer to each version's Release Notes on <A HREF=https://wiki.ahsay.com>Ahsay Wiki</A>. | ||
| Line 34: | Line 53: | ||
| * AhsayMOB is EOL and unsupported. | * AhsayMOB is EOL and unsupported. | ||
| + | <html> | ||
| + | <!-- | ||
| + | </TD></TR></TABLE> | ||
| + | --> | ||
| + | </html> | ||
| <html><br/><br/></html> | <html><br/><br/></html> | ||
| Line 55: | Line 79: | ||
| * If you are running AhsayOBS or AhsayOBSR (v6.x), read "Best Practice for AhsayOBS to AhsayCBS Upgrade and Data Migration" (https://www.ahsay.com/download/download_document_v8_cbs-upgrade-key-steps.jsp) | * If you are running AhsayOBS or AhsayOBSR (v6.x), read "Best Practice for AhsayOBS to AhsayCBS Upgrade and Data Migration" (https://www.ahsay.com/download/download_document_v8_cbs-upgrade-key-steps.jsp) | ||
| + | |||
| + | |||
| + | <html> | ||
| + | </TD></TR></TABLE> | ||
| + | </html> | ||
public/announcement/cve-2021-44228_log4j.1639730516.txt.gz · Last modified: 2021/12/17 16:41 by kirk.lim