User Tools

Site Tools


Sidebar

Announcement

Ahsay Backup Software

Backup Set Types

Supported Storage

Features in OBM / ACB

Features in CBS

Brand and Customize

License

Documentation

Performance Testing

FAQs and Known Issues

Can't Find What You Need?

public:announcement:cve-2021-44228_log4j

Ahsay Advisory - Log4j vulnerability (CVE-2021-44228)

Revised: 2022-12-01

As of 2022-Jan-25, v9.1.0.0 is newest version, introducing Deduplication. All Log4j binaries has been removed from AhsayCBS and OBM/ACB clients.

As of 2022-May-24, the latest Version 8 public release is v8.7.0.0. In this release, all Log4j binaries has been replaced with "152-bytes" innocuous file, with system routine to remove. [UPDATE: 2022-11-21, hotfix v8.7.0.19 will handle log4j binary removal in the OBM/ACB "aua" directory (ref#35723).]




Hotfixes are an Ahsay Partner Portal exclusive, found on www.ahsay.com/partners.

Announcement date: 2021-12-13

Revised: 2021-12-17

  • AhsayOBS (v6), AhsayOBSR (v6), AhsayCBS (v7/v8), AhsayOBM (v7/v8), AhsayACB (v7/v8), AhsayUBS (v6/v7/v8) are not vulnerable to CVE-2021-44228 (Log4j vulnerability).

      While the Log4j binaries exist, the version of Log4j Ahsay products bundled does not contain the JNDILookup plugin and is not one of the affected versions.
      Related, applicable only for AhsayCBS v8.5.4.86+, the remote logging feature and all logging had been disabled for Log4j Logger (set to OFF).

      However, pre-v8.5.4.86 AhsayCBS versions may be vulnerable to other vulnerabilities not associated with this CVE. There are critical vulnerabilities with certain Ahsay versions, as described in Ahsay Security Advisory (#26030)

      NOTE: If you are running any earlier version than the current release, it is highly advised to CBS Administrators to stay up to date and upgrade to the most recent release. There may have been fixes for other critical bugs or vulnerabilities that have since been patched, we are unable to relist each past CBS version's history here, but you can refer to each version's Release Notes on Ahsay Wiki.

  • AhsayPRD 2.0 is not vulnerable.
  • Ahsay Mobile 1.6+ is not vulnerable.
  • AhsayMOB is EOL and unsupported.



EOL Reminder:

For v7.x, starting on 2021-06-30 Ahsay announced that Version 7 is progressively desupported and will EOL on 2022-01-01. No further enhancements, development, or hotfixes will be created. https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_previous_cbs-v7-eol

For v6.x, on 2018-07-16 Ahsay announced that Version 6 is EOL 2018-12-31. No further enhancements, development, or hotfixes would be made. https://www.ahsay.com/blog/2018/07/16/ahsay-v6-best-effort-support/

If you are running either of these, to protect yourself from future vulnerability, we highly recommend to upgrade to latest release AhsayCBS. In order to upgrade, you must have valid maintenance prior to upgrading.



Upgrade Procedures:


Contact

You can contact Ahsay Sales at sales-kb@ahsay.com, to renew your maintenance.

If you have further technical questions, you may submit a ticket to Ahsay Support at https://www.ahsay.com/partners .

Ahsay offers Professional Services to assist with upgrading your server(s). Please contact Ahsay Sales for a quote.

public/announcement/cve-2021-44228_log4j.txt · Last modified: 2022/12/01 12:05 by kirk.lim

Page Tools