Is Prognosis 11.x or 12.0 affected by CVE-2021-44228 / log4j / 'Log4Shell' / 'LogJam' / Zero-Day Vulnerability in Apache Java Logging Library Log4j?
We received the below high vulnerability alert from our CERT team and need your help to confirm whether our Prognosis are impacted with this vulnerability.
Security researchers have discovered a zero-day vulnerability in the Apache Java logging library Log4j (CVE-2021-44228). A proof-of-concept exploit has also been published. Successful exploitation could allow an attacker to gain full control of the affected servers.
System administrators using Apache Log4j versions between 2.0 and 2.14.1 are advised to upgrade to the latest version 2.15.0 immediately. The patch is available for download here: https://logging.apache.org/log4j/2.x/download.html
As the latest patch version of Log4j 2.15.0 requires Java 8, system administrators using Java 7 will be required to upgrade to Java 8. Alternatively, system administrators may reconfigure affected servers with "log4j2.formatMsgNoLookups" set to "true" when starting the Java virtual machine, and closely monitor the servers for any suspicious activity.
Glad you asked!
The good news is that Prognosis 11.x and 12.0 do not use log4j and are not affected by this vulnerability.
Also, there is more good news that the Prognosis Cloud platform is not affected by this vulnerability.
so any onsite system below 11 is affected by this? If so is prognosis building a fix?
Prognosis version 9.x and 10.x also appear to not be affected by the CVE-2021-44228 log4j vulnerability, but these Prognosis versions are no longer supported and should be upgraded as soon as possible to include other security items and defect fixes.
Does this affect the Pathinsight product line?
Good point! I have good news about that as I have confirmed with the developers that PathInsight is not affected by this log4j vulnerability.
Is there a formal published statement from IR that states the product is not affected by this vulnerability? My security team is not going to accept a forum post that says good news it's nto affected. They will want what our other vendors have psoted to their support sites stating if it is affected or not and if it si, what the remediation is. For most of our other major applications I have been able to download the notice from their support site or they sent it out to custoemrs.
Sure! Please see the attached PDF file of the formal advisory.
Unified Communications has always been an important part of companies' digital transformation efforts due to its ability to enable rich virtual collaboration and communication. But with COVID-19, we've reached a break-through point.
Join Bill Haskins, Sr. Analyst & Partner, Unified Communications at Wainhouse Research, and John Ruthven, CEO at IR discuss UC challenges companies are experiencing due to the COVOID-19 crisis.Join webinar