Is TransForm N impacted by the Log4j vulnerability?

Numer artykułu: [5657] - Kod starszej wersji: [12494]

Dotyczy

On December 9, 2021, a vulnerability was detected in Log4j, an open-source Java logging library maintained by the Apache Software Foundation.

Ongoing analysis has shown that TransForm N 3.x is also partly affected by this vulnerability. 

Impact for TransForm N:

CVE-2021-44228

Affected Log4j version: 

 2.0 - 2.14.1

Impacted: 

no

Information: 

No affected Log4j version used.

CVE-2021-4104
Affected Log4j version:1.2.X
Impacted:No
Information:

No usage of JMS Appender.

CVE-2019-17571
Affected Log4j version:1.2.X
Impacted:Yes
Information:

TFN is using affected versions of Log4j (1.2.12 - 1.2.17)
TFN uses SocketServer.

Mitigation:

Block the following ports on the CMS Server firewall:

  • 4563
  • 12345

This will disable central logging of the Sidebar Client, the Display Agent, and the Control Panel. In these cases, the logfiles need to be collected manually if needed. 

More information on how to block these ports can be found in [KB12513]

If this mitigation is not feasible in your installation, we recommend isolating the system/devices as much as possible in your network and limiting access to the network where possible.

Solution:

We are currently investigating possible solutions and will update this article when more information is available.

Update December 23, 2021:
A hotfix for all supported versions (3.6 and up) is being prepared and will be available in the coming weeks.

Update January 6, 2022:
CMS Hotfixes have been released which automatically block the needed ports to mitigate this vulnerability while still saving the needed logs locally.
These Hotfixes are released for all supported versions (3.6 and up) and can be found at the bottom of this article. (Login required.)

CVE-2017-5645
Affected Log4j version:2.0 - 2.8.2
Impacted:No
Information:No affected Log4j version is used.

To ensure optimal security, we recommend always upgrading to the latest version of TransForm N.

Please be aware that some security scanning tools only verify the version of a component to indicate if it is vulnerable or not. Based on our internal investigation of how the component is used and configured, we indicate if the vulnerability is exploitable or not. (cf. impact statement per CVE identifier in the KB).

Please note that the above article contains preliminary information and will be updated regularly.

Właściwości

Ostatnia aktualizacja 14 cze 2022