No categories assigned

Log4Shell

Revision as of 12:45, 13 December 2021 by Mlink-rodrigue (talk | contribs)

Event

Log4j vulnerability

Current vulnerability assessment in BlueSpice (overview)

  • BlueSpice free, pro, farm
    • On-premise installations are not affected.
    • The Docker version is not affected.
  • BlueSpice cloud is not affected.

This is true for instances that we have installed. Customers have to check their part of the installation (i.e., OS, additional packages, etc.)

Detailed vunlerability assessment

Inspected components in BlueSpice

  • ElasticSearch => ElasticSearch reports that they are not affected:
    https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
    No code-red alert, but we keep an eye on it. => not vulnerable
  • Java-Server
    • Tomcat => explicit configuration of log4j is necessary. By default, log4j is not activated. We do not change this. => not vulnerable
    • Jetty => explicit configuration of jetty is necessary. By default, log4j is not activated. We do not change this. => not vulnerable
  • Java Webservices
    • xhtmlrenderer => a log4j plugin exists, but is not used by our service => not vulnerable
    • VisualDiff => uses daisydiff + others. Does not use log4j => not vulnerable
    • LaTeX2png => uses the jlatexmath library. Does not use log4j => not vulnerable
  • Draw.io reports that the appication is not affected:
    https://twitter.com/drawio/status/1470061320066277382 => not vulnerable

Inspected components in the Docker image

The ist of Docker files in the activated packages has been inspected. => not vulnerable

Attachments

Discussions