[EN] Status and Actions

Last modified by Stefan Chudaska on 16.12.2021, 11:33

Status and actions for the prodexa Cloud regarding “log4shell” (CVE-2021-44228)

After the vulnerability of log4j known as “log4shell” has been detected, we checked our Systems regarding used log4j Version, to make sure our Cloud environments are safe.
The conclusion of our checks is that our systems are not affected. This is ensured by the following mechanisms:

log4j versions

Our PIM7 and PIM8 Environments use log4j versions 1.2.16 and 1.2.17, which are not affected by the vulnerability. It affects log4j versions 2.x up to 2.14.1.
Only exception is our Solr-Server, which uses an affected version 2.11 but is not reachable from outside of our servers and is protected by our firewall and Webserver.

Firewall und Webserver

Even though our Solr uses log4j Version 2.11, it is not affected because it can not be externally reached. This is ensured by our Firewall and (Apache2) Webserver. 

Josso (Authentication with username/passwort)

Those parts of our applications that can be reached via https are additionally protected by our josso module. Any requests to our systems are only processed after successful authentication with username and password.

Additional mitigation step: reconfigure Solr

In an additional step we followed the recommendation of the Apache Software Foundation and changed the configuration of our Solr servers: the system variable “log4j2.formatMsgNoLookups” was updated to true.
This has already been done for all cloud systems. Instructions for onpremises Systems can be found here Maßnahmen für Onpremises Systeme

Weblink: https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228

Further information

For a better understanding of the vulnerability, we suggest the following articles.

[German article] “Schutz vor schwerwiegender Log4j-Lücke - was jetzt hilft und was nicht” von heise online:
https://www.heise.de/news/Log4j-2-16-0-verbessert-Schutz-vor-Log4Shell-Luecke-6294053.html

“Log4Shell log4j vulnerability” from stories-so-far:
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/

Tags:

Navigation