In terms of the Zero Day Java exploit that has surfaced in the last couple days. We have heard from our Development team that this DOES NOT apply to our software.
iDashboards version 11.3a (released 1/31/2022) DOES NOT use log4j at all. It has been removed from our product. For Any version below 11.3a we used log4j version 1.2.17. Therefore, it is not affected by this exploit found in later versions:
- Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package
- CVE-2021-44228 – Log4j 2 Vulnerability Analysis
- NVD CVE-2021-44228 Detail
The last link does not make clear which versions are affected, however, the first two state clearly they are versions 2.0 to 2.14.1.
We also do not use JMSAppender. Plus, that looks a bit of a stretch. For an attacker to have write access to the log4j configuration, that would likely mean they would need filesystem access on the server hosting the application. So it couldn’t be exploited by sending an http request, like the other one could.
At this time we do not know when development plans to move forward with upgrading to Log4j2, however, it does appear we will likely move to v2.15.0 to utilize Java 17+.
Apache Log4j 2
Click on Image for Full Details
From Development:
Utilization of the Log4j 1.x to 2.x Bridge will NOT work with iDashboards, please upgrade to v11.3 to remove Log4j issues.
Next Read: 01/31/2022: v11.3 Enterprise Release Notes
Comments
1 comment
When you say "Dashboards uses log4j version 1.2.17." Which versions of iDashboards are you referring to? Just the current 11.2 build? Would older versions be affected differently?
Please sign in to leave a comment.