Iptor response to Apache Log4j Remote Code Execution (CVE-2021-44228)

This page will be updated as new information becomes available.

Last updated 17 May, 2022

Update 2022-05-17

Iptor is pleased to announce the release of Iptor Integrator 7.2.0.5

The new package, associated release notes and installation documents can be obtained through support@iptor.com or your account manager. If required, assistance from Iptor is available to plan and execute the installation/upgrade.
This is a security fix release containing the latest log4j library containing all security fixes for this package as of the date of publishing, 17/05/2022.

Customers are advised to update their systems to the new version as soon as possible.

Update 2022-04-04

Iptor is pleased to announce the release of Iptor XT UI v4.5,1.0. The new package, associated release notes and installation documents can be obtained through support@iptor.com or your account manager. If required, assistance from Iptor is available to plan and execute the installation/upgrade.

This is a security fix release containing the latest log4j library containing all security fixes for this package as of the date of publishing, 29/03/2022. Customers are advised to update their systems to the new version as soon as possible.

Note This version does not include Studio anymore for increased security reasons

Update 2022-01-14

Iptor is pleased to announce the release of Iptor Netstore 15.1.0.0. The new package, associated release notes and installation documents can be obtained through support@iptor.com  or your account manager. If required, assistance from Iptor is available to plan and execute the installation/upgrade.

This is a security fix release containing the latest log4j library containing all security fixes for this package as of the date of publishing, 13/01/2022. Customers are advised to update their systems to the new version as soon as possible

Update 2021-12-22

Iptor have created a document to extend security on Log4j vulnerability based on best practice.

Iptor has tested and verified that the removal of objects from the Log4j library described in the document does not have a negative impact on the functioning of the Iptor products in scope.

Download the document here.


Update 2021-12-20

Iptor customers running in the Iptor datacentre are protected by a number of security services. During the last few days, Iptor partner in the datacentre have scanned the supporting applications to make sure no services are affected by the recent Log4j vulnerability. Already in the past week a few patching activity took place to close found vulnerabilities in application used for supporting the data centre service.

Iptor customer support and professional services will contact any customer located in the datacentre if Log4j is found in their environment and work on a plan to close those unless findings indicate that the application is under maintenance agreement and already taken care of.

If you are located in the datacentre and want Iptor to assist in mitigation actions or patching activities, please log a ticket according to your support agreement with Iptor support.


Update 2021-12-20

Iptor third party products have been updated on each suppliers web page.

Below are statements from some of the suppliers:

Medius: “We have now closed the investigation of Medius’ products’ potential exposure to the Log4j exploit including among other things review of source code, production systems as well as used 3rd party services. The conclusion is that Medius’ products and services are NOT affected by this vulnerability.”

Apper SIM: “All APPER SIM components are written in Microsoft.NET, so Log4j is fortunately not used.”

Corzia Comflow: “Comflow have Avalon as logger framework Tomcat Java-logger, so log4j is not involved in in the web server setup.”

Interform: “Customer running InterForm400 & InterFormNG are not affected by this security vulnerability, Customer running InterFormNG2 should upgrade to the latest version”

Nextway: “Next® 2.0, Next® as a Service, and Nextway are not affected by the recent Log4j RCE 0-day vulnerability (CVE-2021-44228).”

If you are running a third party product connected to Iptor application and want assistance if you are exposed to this vulnerability, please log a ticket with Iptor support according to your support agreement.


Update 2021-12-20

Iptor have an update from Adobe that their product AEM needs to be addressed to ensure there are no vulnerabilities of Log4j.

Please log a ticket with Iptor Customer support if you need assistance in how to identify your version and if fixes are needed.

If you want to investigate more, please read on this link:
Mitigating Log4j2 vulnerability (CVE-2021-44228) for Experience Manager Forms (adobe.com)


Update 2021-12-20

The Apache community has been working on updates on the Log4j Logging service since the announcement of the vulnerability in early December.

Both version 2.16 and 2.17 has been released on library Log4j.

Iptor products have been verified against these new vulnerabilities and have been found safe also from the CVE-2021-45105 vulnerability.


Update 2021-12-16

Iptor Product is actively monitoring Log4j vulnerabilities across its products and related services. The CVE-2021-44228 vulnerability was raised to us on Friday 10 December 2021. Our teams started immediately investigating and providing remediation to the problem followed by deeper analysis of our products. We also took note of the CVE-2021-4104 and CVE-2021-45046 vulnerabilities which appeared on December 14, 2021.

Short summary: After investigation by our product engineers we can conclude that Iptor’s Java Based products are currently not vulnerable to the three aforementioned vulnerabilities/issues.

If you have questions or concerns about this matter, please contact support@iptor.com or your account manager. Iptor takes security and reliability as top priorities for our customers.

ProductStatus
NetstoreNot affected
XTNot affected
IntegratorNot affected

References:

This page will be updated as new information becomes available.