cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

GeraldC1
Community Manager
Community Manager
‎12-13-2021 12:20 AM
‎12-13-2021 12:20 AM

CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Hi,

 

Is Prognosis 11.x or 12.0 affected by CVE-2021-44228 / log4j / 'Log4Shell' / 'LogJam' / Zero-Day Vulnerability in Apache Java Logging Library Log4j?

 

We received the below high vulnerability alert from our CERT team and need your help to confirm whether our Prognosis are impacted with this vulnerability.
 
Vulnerability Details:
Security researchers have discovered a zero-day vulnerability in the Apache Java logging library Log4j (CVE-2021-44228). A proof-of-concept exploit has also been published. Successful exploitation could allow an attacker to gain full control of the affected servers.

System administrators using Apache Log4j versions between 2.0 and 2.14.1 are advised to upgrade to the latest version 2.15.0 immediately. The patch is available for download here: https://logging.apache.org/log4j/2.x/download.html

As the latest patch version of Log4j 2.15.0 requires Java 8, system administrators using Java 7 will be required to upgrade to Java 8. Alternatively, system administrators may reconfigure affected servers with "log4j2.formatMsgNoLookups" set to "true" when starting the Java virtual machine, and closely monitor the servers for any suspicious activity.

Add categories:
Reply
8 REPLIES 8
GeraldC1
Community Manager
Community Manager
‎12-13-2021 12:21 AM
‎12-13-2021 12:21 AM

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Glad you asked!

 

The good news is that Prognosis 11.x and 12.0 do not use log4j and are not affected by this vulnerability.

 

HTH

Reply
GeraldC1
Community Manager
Community Manager
‎12-13-2021 03:18 PM
‎12-13-2021 03:18 PM

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Also, there is more good news that the Prognosis Cloud platform is not affected by this vulnerability.

 

Reply
Jerry_K
05 Base Camper
‎12-14-2021 07:52 AM
‎12-14-2021 07:52 AM

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

so any onsite system below 11 is affected by this?    If so is prognosis building a fix?

 

0 Likes
Reply
SCOTT_BALDWIN
Community Manager
Community Manager
‎12-14-2021 10:22 AM
‎12-14-2021 10:22 AM

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Hi @Jerry_K,

 

Prognosis version 9.x and 10.x also appear to not be affected by the CVE-2021-44228 log4j vulnerability, but these Prognosis versions are no longer supported and should be upgraded as soon as possible to include other security items and defect fixes.

 

Thank you,
Scott Baldwin

 

Reply
Edmanuel_Ferrer
05 Base Camper
‎12-14-2021 12:14 PM
‎12-14-2021 12:14 PM

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Hello GeraldC1,

 

Does this affect the Pathinsight product line?

 

Thanks!

Reply
GeraldC1
Community Manager
Community Manager
‎12-14-2021 04:00 PM
‎12-14-2021 04:00 PM

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Hi Ed,

 

Good point! I have good news about that as I have confirmed with the developers that PathInsight is not affected by this log4j vulnerability.

 

HTH

Reply
Scott_Smith
05 Base Camper
‎01-11-2022 04:25 PM
‎01-11-2022 04:25 PM

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Is there a formal published statement from IR that states the product is not affected by this vulnerability?  My security team is not going to accept a forum post that says good news it's nto affected.  They will want what our other vendors have psoted to their support sites stating if it is affected or not and if it si, what the remediation is.  For most of our other major applications I have been able to download the notice from their support site or they sent it out to custoemrs.

Reply
GeraldC1
Community Manager
Community Manager
‎01-11-2022 06:04 PM
‎01-11-2022 06:04 PM

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Sure! Please see the attached PDF file of the formal advisory.

 

 

 

Reply
Webinar: Keep the modern workforce connected

Unified Communications has always been an important part of companies' digital transformation efforts due to its ability to enable rich virtual collaboration and communication. But with COVID-19, we've reached a break-through point.

Join Bill Haskins, Sr. Analyst & Partner, Unified Communications at Wainhouse Research, and John Ruthven, CEO at IR discuss UC challenges companies are experiencing due to the COVOID-19 crisis.

Join webinar
Top Liked Members
View All

IR Forums

 General Collaborate Transact & Infrastructure COVID-19 Updates IR Connect