Hinweise zur Log4j Schwachstelle
Eine kritische Schwachstelle in der Java-Bibliothek Log4j beherrscht gerade die Schlagzeilen. Die IT-Welt ruft «Alarmstufe Rot» aus. Inwieweit die Lösungen unserer Hersteller die Java-Bibliothek Log4j nutzen und welche Folgen sich daraus ergeben, finden Sie nachfolgend aufgelistet.
Immer up-to-date
In dieser News-Meldung finden Sie Statements und ggf. Handlungsempfehlungen der Hersteller BitTruster, DataLocker, NetSupport, OPSWAT, ProLog, Safend und SecurEnvoy zum Umgang mit der CVE-2021-44228 Sicherheitslücke in der Originalform ohne Übersetzung. Links zu den entsprechenden Herstellerseiten sind soweit verfügbar ebenfalls aufgeführt.
Wir bemühen uns zeitnah um entsprechende Erklärungen der noch fehlenden Hersteller.
SecurEnvoy – SecurAccess bzw. SecureIdentity MFA
14.12.21: Please be advised that the Apache log4j Library Vulnerability (CVE-ID - CVE-2021-44228) does not affect SecurAccess. Therefore, no mitigation steps are required on the SecurEnvoy Application.
BitTruster – BitLocker Management
14.12.21: We are aware of the situation and closely monitoring the situation. Since BitTruster v5 does not make use of Log4Shell, instead we are using an extension for .Net which is Log4Net, as per our current research the exposed component for now is the Log4j, which is a java extension while we use Microsoft technologies.
The BitTruster solution itself does not depend on internet access, which means that the server hosting BT could be disconnected from the public internet as a precaution without impacting functionality. We are of course monitoring the situation closely for now, and also our soon to be released v6.0 will no longer rely on Log4Net at all.
ProLog AG – Log-Management & SIEM
Das Bundesamt für Sicherheit in der Informationstechnik hat gestern eine Sicherheitswarnung bezüglich der kritischen Schwachstelle in log4j veröffentlicht (CVE-2021-44228).
Da wir in ProLog keine Java-Programmbibliotheken einsetzen, weder in der Server-Appliance noch in unseren Agenten, ist unsere Anwendung von der aktuellen Sicherheitslücke nicht betroffen.
OPSWAT – MetaDefender
16.12.21: As we continue to monitor the updates and developments surrounding CVE-2021-44228, we are aware of the recent guidance outlined in CVE 2021-45046 that addresses the incomplete fix for Apache log4j 2.15.0 in certain non-default configurations.
At this time, we do not assess that this changes any currently published mitigation steps released regarding CVE 2021-44228.
14.12.21: OPSWAT has completed a full analysis of all OPSWAT products that could be affected by the log4j vulnerability and has not identified any exposure that would impact the safe use of any OPSWAT products or services.
Product recommendations or configurations have been communicated to MetaAccess Cloud, OPSWAT Central Management, and MetaAccess NAC customers and updated on our blog. No product recommendations or configurations are applicable to any of our other products at this time.
13.12.21: We are following up in reference to the critical vulnerability CVE-2021-44228 which has been discovered in Apache log4j and may allow remote code execution.
OPSWAT Central Management (OCM) uses the Apache log4j library as one of its dependencies. We recommend customers running OCM version 7.16 or earlier, please upgrade to version 7.17 or newer, and apply a recommended configuration change to mitigate this specific exploit and others that might target the JNDI related log4j capabilities in the future. The mitigation configuration change instructions can be found in this knowledge base article.
Moving forward, we will continue to update the log4j vulnerability update blog page with new developments and will contact any affected customers with any required configuration changes or updates.
NetSupport – NetSupport Manager, NetSupport DNA, NetSupport School....
15.12.21. On Dec 9th, 2021, security researchers published a report of a high-risk “zero day” vulnerability (CVE-2021-44228) affecting a common software package (Apache Log4J) that can allow remote code execution.
None of the NetSupport solutions use the log4j library and therefore have not been impacted by this vulnerability.
Die wichtigsten NetSupport Lösungen
DataLocker – SafeConsole
12.12.21: SafeConsole On-premise customers should update their SafeConsole installations immediately.
SafeConsole 5.9.3 Hotfix-2 (5.9.3.92) - Released December 10th, 2021
Security Fixes:
Updated Log4j2 Library to 2.15 to mitigate CVE-2021-44228
DataLocker Statement und Download
Safend – Data Loss Prevention
15.12.21: Safend products do not link or interface with Log4J libraries. Safend products use some libraries to print internal debugging statement called Log4cxx version 1.0.1.5_VS2015 and Log4Net version 1.2.11.0. We are aware that both libraries have a newer version. We will integrate with those two new versions in a later release by the end of qtr 1 , 2022