cancel
Showing results for 
Search instead for 
Did you mean: 

CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

GeraldC1
Community Manager

CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Hi,

 

Is Prognosis 11.x or 12.0 affected by CVE-2021-44228 / log4j / 'Log4Shell' / 'LogJam' / Zero-Day Vulnerability in Apache Java Logging Library Log4j?

 

We received the below high vulnerability alert from our CERT team and need your help to confirm whether our Prognosis are impacted with this vulnerability.
 
Vulnerability Details:
Security researchers have discovered a zero-day vulnerability in the Apache Java logging library Log4j (CVE-2021-44228). A proof-of-concept exploit has also been published. Successful exploitation could allow an attacker to gain full control of the affected servers.

System administrators using Apache Log4j versions between 2.0 and 2.14.1 are advised to upgrade to the latest version 2.15.0 immediately. The patch is available for download here: https://logging.apache.org/log4j/2.x/download.html

As the latest patch version of Log4j 2.15.0 requires Java 8, system administrators using Java 7 will be required to upgrade to Java 8. Alternatively, system administrators may reconfigure affected servers with "log4j2.formatMsgNoLookups" set to "true" when starting the Java virtual machine, and closely monitor the servers for any suspicious activity.

8 REPLIES 8
GeraldC1
Community Manager

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Glad you asked!

 

The good news is that Prognosis 11.x and 12.0 do not use log4j and are not affected by this vulnerability.

 

HTH

GeraldC1
Community Manager

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Also, there is more good news that the Prognosis Cloud platform is not affected by this vulnerability.

 

Jerry_K
05 Base Camper

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

so any onsite system below 11 is affected by this?    If so is prognosis building a fix?

 

SCOTT_BALDWIN
Expert

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Hi @Jerry_K,

 

Prognosis version 9.x and 10.x also appear to not be affected by the CVE-2021-44228 log4j vulnerability, but these Prognosis versions are no longer supported and should be upgraded as soon as possible to include other security items and defect fixes.

 

Thank you,
Scott Baldwin

 

Edmanuel_Ferrer
05 Base Camper

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Hello GeraldC1,

 

Does this affect the Pathinsight product line?

 

Thanks!

GeraldC1
Community Manager

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Hi Ed,

 

Good point! I have good news about that as I have confirmed with the developers that PathInsight is not affected by this log4j vulnerability.

 

HTH

Scott_Smith
05 Base Camper

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Is there a formal published statement from IR that states the product is not affected by this vulnerability?  My security team is not going to accept a forum post that says good news it's nto affected.  They will want what our other vendors have psoted to their support sites stating if it is affected or not and if it si, what the remediation is.  For most of our other major applications I have been able to download the notice from their support site or they sent it out to custoemrs.

GeraldC1
Community Manager

Re: CVE-2021-44228 log4j 'Log4Shell' 'LogJam' is Prognosis affected by this Zero-Day Vulnerability in Apache Java Logging Library Log4j?

Sure! Please see the attached PDF file of the formal advisory.

 

 

 

Webinar: Keep the modern workforce connected

Unified Communications has always been an important part of companies' digital transformation efforts due to its ability to enable rich virtual collaboration and communication. But with COVID-19, we've reached a break-through point.

Join Bill Haskins, Sr. Analyst & Partner, Unified Communications at Wainhouse Research, and John Ruthven, CEO at IR discuss UC challenges companies are experiencing due to the COVOID-19 crisis.

Join webinar
Top Liked Members