Log4J / Log4Shell vulnerabilities
Update 3 :
Atempo are aware of these CVEs, has completed the verification, and was able to conclude that Atempo product are not impacted by this. Below, you can find more details:
- CVE-2022-23302: A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSSink and to the attacker’s JNDI LDAP endpoint.
- Not Impacted
- CVE-2022-23307: A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.
- Not Impacted
- CVE-2022-23305: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converted from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs.
- Not Impacted
Update 2 :
ATEMPO products are also not impacted by CVE-2021-45104
Update :
ATEMPO products are also not impacted by CVE-2021-45105 and CVE-2021-45046
About the Log4Shell vulnerability
A zero-day vulnerability “Log4Shell” (CVE-2021-44228) has been disclosed on 9 December 2021 and is already actively being exploited.
Are ATEMPO products affected by this vulnerability?
Investigation has concluded that ATEMPO products are not impacted by the Log4Shell vulnerability.
- MIRIA
- LINA
- ADE
- TINA
We have checked the use of the affected software components for all Atempo products. This applies to the entire product range for both current and out-of-date versions.
To learn more about the CVE:
Articles / Posts
- Tina 4.8 GA is available
- Lina 6.1 GA is available
- PowerShell for Lina 6.0
- Advisory ID : LINA/ADE-2023-0002
- Advisory ID : LINA/ADE-2023-0001
- Time Navigator 4.6.9 Hyper-V Software Alert
- Tina 4.7.1 GA is available !
- Miria install error on a Linux server without X11
- HSS Replication requires attention when upgrading to 5.x
- LINA Agents 5.3.4
Categories
- Lina – EN (21)
- Miria – EN (8)
- Tina – EN (18)
Archives
- July 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- October 2022
- September 2022
- July 2022
- December 2021
- November 2021
- October 2021
- July 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020