December 21, 2021
On 9 December 2021, an RCE – Remote Code Execution security concern in Apache Log4j was found. This includes CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, and CVE-2021-45105.
We would like to reassure all our customers that we have taken immediate steps to ensure our clients are not affected.
The following products do not contain the Log4j library (or a vulnerable version) and are therefore safe from any Log4j vulnerability:
- Petrosys PRO
dbMap/Web and PLDB
Our testing has shown that even though dbMap/Web contains the vulnerable Log4j library, there is no known exploit available at this time. To remove any concern, we have released dbMap/Web 2021.1.5 with an updated version of Log4j. We strongly recommend that all dbMap/Web customers update to 2021.1.5.
Subsequently, another less severe vulnerability in Log4j has been found, CVE-2021-45105. This vulnerability is not exploitable in dbMap/Web or PLDB. A further update of dbMap/Web will be released to address this issue.
Interica OneView and IDS
Interica OneView (IOV) & IDS use a version of the Log4J library that is not affected by the CVE-2021-44228 ‘zero-day’ vulnerability.
IOV uses third-party software components that do use a version of Log4J that is vulnerable. IOV systems are internal deployments and therefore the risk of exposure of this vulnerability is low compared to if those systems were public facing.
Interica is updating its IOV and IDS product’s third party software components to use the latest version of Log4J that does not contain the vulnerability.
In the meantime, an extra layer of protection can be provided by disabling the exploitable functionality in Log4j – please contact Petrosys or Interica Support for more information.
Please contact your local office if you have any concerns or would like to discuss this.