====== Ahsay Advisory - Log4j vulnerability (CVE-2021-44228) ======
**Revised:** 2022-12-01
As of 2022-Jan-25, v9.1.0.0 is newest version, introducing Deduplication. All Log4j binaries has been removed from AhsayCBS and OBM/ACB clients.
As of 2022-May-24, the latest Version 8 public release is v8.7.0.0. In this release, all Log4j binaries has been replaced with "152-bytes" innocuous file, with system routine to remove. [UPDATE: 2022-11-21, hotfix v8.7.0.19 will handle log4j binary removal in the OBM/ACB "aua" directory (ref#35723).]
Hotfixes are an Ahsay Partner Portal exclusive, found on www.ahsay.com/partners. **Announcement date:** 2021-12-13 **Revised:** 2021-12-17 * AhsayOBS (v6), AhsayOBSR (v6), AhsayCBS (v7/v8), AhsayOBM (v7/v8), AhsayACB (v7/v8), AhsayUBS (v6/v7/v8) are **not vulnerable** to CVE-2021-44228 (Log4j vulnerability).
Related, applicable only for AhsayCBS v8.5.4.86+, the remote logging feature and all logging had been disabled for Log4j Logger (set to OFF). However, pre-v8.5.4.86 AhsayCBS versions may be vulnerable to other vulnerabilities not associated with this CVE. There are critical vulnerabilities with certain Ahsay versions, as described in Ahsay Security Advisory (#26030) NOTE: If you are running any earlier version than the current release, it is highly advised to CBS Administrators to stay up to date and upgrade to the most recent release. There may have been fixes for other critical bugs or vulnerabilities that have since been patched, we are unable to relist each past CBS version's history here, but you can refer to each version's Release Notes on Ahsay Wiki. ==== EOL Reminder: ==== **For v7.x**, starting on 2021-06-30 Ahsay announced that Version 7 is progressively desupported and will EOL on 2022-01-01. No further enhancements, development, or hotfixes will be created. https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_previous_cbs-v7-eol **For v6.x**, on 2018-07-16 Ahsay announced that Version 6 is EOL 2018-12-31. No further enhancements, development, or hotfixes would be made. https://www.ahsay.com/blog/2018/07/16/ahsay-v6-best-effort-support/ If you are running either of these, to protect yourself from future vulnerability, we highly recommend to upgrade to latest release AhsayCBS. In order to upgrade, you must have valid maintenance prior to upgrading. ==== Upgrade Procedures:==== https://www.ahsay.com/download/download_document_v8_cbs-upgrade.jsp * If you are running AhsayCBS (v8.x), https://wiki.ahsay.com/doku.php?id=public:8009_faq:how_to_install_the_latest_patch_set_for_ahsaycbs * If you are running AhsayUBS (v8.x), https://wiki.ahsay.com/doku.php?id=public:8026_faq:how_to_install_the_latest_patch_set_for_ahsayubs * If you are running AhsayCBS (v7.x), https://wiki.ahsay.com/doku.php?id=public:announcement:critical_vulnerability_in_ahsaycbs_v7_and_v8 * If you are running AhsayUBS (v7.x), https://wiki.ahsay.com/doku.php?id=public:announcement:critical_vulnerability_in_ahsaycbs_v7_and_v8 * If you are running AhsayOBS or AhsayOBSR (v6.x), read "Best Practice for AhsayOBS to AhsayCBS Upgrade and Data Migration" (https://www.ahsay.com/download/download_document_v8_cbs-upgrade-key-steps.jsp) |