Home Forums Miria forums – EN Miria : Troubleshooting & Security Vulnerabilities Log4J / Log4Shell

  • This topic is empty.
Viewing 0 reply threads
  • Author
    Posts
    • #11033
      Product Security TeamProduct Security Team
      Participant
      • Update 3 :

        Atempo are aware of these CVEs, has completed the verification, and was able to conclude that Atempo product are not impacted by this. Below, you can find more details:

        • CVE-2022-23302: A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSSink and to the attacker’s JNDI LDAP endpoint.
          • Not Impacted
        • CVE-2022-23307: A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.
          • Not Impacted
        • CVE-2022-23305: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converted from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs.
          • Not Impacted

        Update 2 :

        ATEMPO products are also not impacted by CVE-2021-45104

        Update :

        ATEMPO products are also not impacted by CVE-2021-45105 and CVE-2021-45046

        About the Log4Shell vulnerability

        A zero-day vulnerability “Log4Shell” (CVE-2021-44228) has been disclosed on 9 December 2021 and is already actively being exploited.

        Are ATEMPO products affected by this vulnerability?

        Investigation has concluded that ATEMPO products are not impacted by the Log4Shell vulnerability.

        • MIRIA
        • LINA
        • ADE
        • TINA

        We have checked the use of the affected software components for all Atempo products. This applies to the entire product range for both current and out-of-date versions.

        To learn more about the CVE:

Viewing 0 reply threads
  • You must be logged in to reply to this topic.