.svg)
On December 9th, 2021, a critical security vulnerability was found in the Log4j logging utility. Log4j is a widely used open-source utility used to generate log messages from Java applications. The vulnerability CVE-2021-44228 , also known as Log4Shell or LogJam, permits a Remote Code Execution (RCE) allowing attackers to execute arbitrary code loaded from an attacker-controlled LDAP server when message lookup substitution is enabled in Log4j.
The Log4j utility is used in some of the applications written by Genus as well as many of the products Genus specializes in. Almost all versions of Log4j Version 2 are susceptible: 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. Log4j Version 1.x is not vulnerable to this exploit but does have exposure to other lower-priority vulnerabilities.
Log4j version 2.15.0 was initially released that turned message lookup substitution off by default. Log4j version 2.16.0 was subsequently released to address a lower-priority vulnerability, CVE-2021-45046. 2.16.0 disabled message lookup substitution entirely, disables access to JNDI by default, limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than localhost need to be explicitly allowed. 2.17.1 further limits exploitability by limiting JNDI data source names, CVE-2021-44832
A quick way to assess if you are impacted by this CVE is to search the file systems of your servers for “log4j-core-2.*.jar”.
If you’re impacted by this CVE, remediation options include:
- Upgrade to a patched version of the software that includes Log4j 2.17.1 or higher
- If the application is using Log4j 2.10 or higher, add the JVM argument
-Dlog4j.formatMsgNoLookups=true
To disable Log4j message lookup substitution.
- Replace the log4j-core-2.x.jar with the new logj4-core-2.17.1.jar (or higher when available). You may need to update references to this .jar in manifest.mf and other files.
- Remove the JndiLookup class from the jar file manually:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Below is a list of components used by Media Upshot, their vulnerability status, suggested remediation, and links to find more information.
|
Genus Media Upshot |
Vulnerability Status |
Preferred Remediation |
See Also |
|
AMS version 6.0.5 or lower |
Not vulnerable, uses log4j 1.x |
Upgrade to AMS 6.1.6.0 or higher |
|
|
AMS version 6.0.6 - 6.1.5.0 |
Vulnerable, uses log4j 2.13.2 |
Upgrade to AMS 6.1.6.0 or higher |
|
|
MU for DAM |
Not vulnerable, uses log4j 1.x |
Upgrade to 7.0.237.0 or higher, 6.4.0.5 or higher |
|
|
Solr 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 |
Vulnerable |
Upgrade to Solr 8.11.1 or greater |
https://solr.apache.org/news.html#apache-solrtm-8111-available |
|
ZooKeeper 3.4.14 or lower |
Not Vulnerable, uses log4j 1.x |
|
|
|
Apache Artemis |
Not Vulnerable, uses Jboss logging |
|
|
|
Wowza Streaming Engine 4.8.5 or lower |
Not Vulnerable, uses log4j 1.x |
|
|
|
Wowza Streaming Engine 4.8.8.01 or higher |
Vulnerable |
Run Log4j Updater from Wowza |
https://www.wowza.com/docs/update-for-apache-log4j2-security-vulnerability |