Yesterday, the following vulnerability was discovered in the Apache LOG4J library. Thorough investigation indicates that it is impossible to exploit in the eMagiz runtime without having access. Control is needed of the thread context folder and eMagiz should use lookups (which we don’t use) to that context folder. Reference: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105 and of course: If you already have access you don’t need to use an exploit.
Two things are important in this post (https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105):
- The above link shows a lookup pattern to exploit, eMagiz does not use it;
- Outsiders have no possibility to update the thread context map.
This means that this vulnerability does not affect the secure operation of the eMagiz platform.
Last Friday, eMagiz released a new runtime (5.0.4.) which incorporated the Apache Log4j patches up to 2.16.0. We have asked our customers to implement this update with high priority.
Given the low impact of the new vulnerability on the eMagiz platform, and the soon-to-be-expected new vulnerabilities, we have decided to only release new patches if vulnerabilities are discovered which could pose a security risk to the eMagiz platform.
Therefore no eMagiz runtime version will be published based on Apache Log4j patch 2.17.0.
In this way we can guarantee everyone a high level of security on their eMagiz runtimes, keep the number of maintenance windows to a minimum and avoid chaos due to a huge number of versions of upgrades getting mixed up.
Of course, eMagiz closely monitors new vulnerabilities and we try to determine their impact on the eMagiz platform as quickly as possible.
Naturally, vulnerabilities with an impact on (the security of) the eMagiz platform are followed up as soon as possible by an eMagiz patch.
We sincerely hope this addresses your concerns and are open to receive any question that you may have on this subject. Please contact us at email@example.com.
Published on December 20th, 2021 at 15:56.