Original Version: December 17, 2021
You may have seen that a vulnerability (Log4Shell) has recently been discovered in a piece of software called Log4j from Apache. This has been logged as CVE-2021-44228, you can find details about the issue here.
Log4Shell is a critical vulnerability in the widely used logging tool Log4j, which is used by millions of computers worldwide running online services. A wide range of people, including organisations, governments and individuals are likely to be affected by it. It is important to note that whilst the original exploit has been fixed by Apache, the affected code is used in many different applications. Vendors are currently reviewing their own applications to see if they contain this vulnerability and if they do, how they will resolve the issue.
The United Kingdom National Cyber Security Centre have issued the following overview. They have also issued advice which you can find here.
In Ireland the National Cyber Security Centre have issued a statement which you can find here.
SolutionsPT are a product distributor, we do not create and maintain our own products. Instead, we distribute products on behalf of other companies, we sometimes also design and build solutions using them. Below is a list of the major hardware and software vendors that we work with both directly and indirectly via other parties, please note that this list is not exhaustive and will be expanded when we receive further responses. We have compiled either a web link or a statement about Log4j which you can use to review your solutions against. This is a fast-moving event so please check back frequently, we are seeing daily updates on these websites so it is important that you do not rely on downloads of information that may get quickly out date.
You are advised to follow the application software vendors guidance in remediating this problem. When application patches from vendors are made available, you should consider installing them as soon as possible following your usual patching procedures.
You should also consider taking the following precautions:
- Ensure that your business continuity plan is up to date.
- Ensure that you have up to date backups of your systems, particularly before applying patches or other remediation steps.
- Where network monitoring is deployed, e.g. Claroty CTD etc or you have signature based end point protection installed, you should ensure that it is operating correctly and you have installed the latest threat updates for it.
If you have any questions or require any help you can contact our support team on +44 (0)161 495 4640.
Advantech - SolutionsPT are advised that this vulnerability does not affect the hardware systems that we currently supply
AVEVA - https://softwaresupportsp.aveva.com/#/okmimarticle/docid/ta000032828 (NB This website requires a login account for the AVEVA Global Customer Support site – you may need to login first then click the link again in order for the page to display correctly. If you do not have an account, please contact our support team on +44 (0)161 495 4640 where we will provide you with a pdf copy of the content – however, please see the note above about time sensitivity of information)
Blackberry – https://support.blackberry.com/community/s/article/90708 (NB This website requires login for Blackberry support partners only, please call SolutionsPT technical support on +44 (0)161 495 4640 if you do not have access).
Cogent DataHub - https://cogentdatahub.com/download/technical-specifications/#toggle-id-6
Dell - We recommend that you use the latest available software version - as these contain the latest security patches - and check their issue list as well as our Security website for additional information as input to your patch management policies.
Hirschmann / Belden – “On December 12, 2021, researchers reported a severe 0-day vulnerability, which is referred to as Log4Shell, in Apache Log4j. The vulnerability is also tracked by other organizations under different identifiers, such as CVE-2021-44228 or CERT Coordination Center VU#930724”.
“Belden’s Product Security Incident Response Team (PSIRT) has investigated these vulnerabilities and determined that all networking devices and software tools sold under the Hirschmann brand are not affected by the vulnerability mentioned above”.
Kepware – PTC Log4j response https://www.ptc.com/en/documents/log4j Kepware Specific Information : https://www.ptc.com/en/support/article/CS358996
KUB - "Following the recent critical Log4j CVE (CVE-2021-44228) announcement, published on many CERTs, many of you reached us to check the Log4J impact on the KUB solution. Today we confirm that the KUB solution does not use Log4j library.”
MDT Autosave - https://www.mdt-software.com/wp-content/uploads/2021/12/PressRelease_MDTAutoSave-Log4jSecurityBreach.pdf
OPSWAT - https://www.opswat.com/blog/log4j-vulnerability-update
ProcessVue by MAC Solutions - ProcessVue software does not include JAVA code and does not rely on any software that has a dependency to Log4j
Proteus / Datto - https://www.datto.com/blog/dattos-response-to-log4shell
Software Toolbox - https://support.softwaretoolbox.com/app/answers/detail/a_id/3986
Stratus - ztC computers are not affected. Stratus ftServer : Log4j 2.x is NOT present in the Stratus AUL software running on the ESXi host, or the Stratus Management appliance (ftAppliance), and ESXi OS.
VMWare - https://www.vmware.com/security/advisories/VMSA-2021-0028.html