Commencer un nouveau sujet

CVE-2021-44228 / Log4Shell - Log4j Vulnerability (Celiveo is NOT affected)

        

What are Log4J and CVE-2021-44228 / Log4Shell ?


    Log4j is  a Java logging library, it’s part of the Apache logging services and  Apache License 2.0 which means that is free to use and therefore has  become one of the most widely used logging libraries in the world for  Java development.


    CVE-2021-44228 / Log4Shell is  a zero-day vulnerability in Log4j, the vulnerability takes advantage of  Log4j allowing requests from arbitrary LDAP and JNDI servers and not  checking the responses, allowing attackers to execute arbitrary Java  code on a server or other computer, or leak sensitive information.


    CVE-2021-44228 / Log4Shell  is exploitable in Log4j versions higher or equal than 2.0.1 and lower  or equal than 2.14.2 ( => 2.0.1 and  <= 2.14.2), the issue has  been mitigated on versions 2.15 and higher (=> 2.15) and is not  exploitable in log4j version 1.x since this version does not support  LDAP and JNDI.

 


Are SecureJet, Celiveo 8 and Celiveo 8R Impacted ?


    SecureJet 7, Celiveo 8 and Celiveo 8R are not impacted by CVE-2021-44228 / Log4Shell vulnerability.

 


Are there any Celiveo or Celiveo related components/modules that use Log4J and what’s the risk ?


    Yes but there’s no exposure to this specific vulnerability.



Celiveo 8R Web Admin


    Celiveo  Web Admin 8R includes a Ricoh tool (RXOP) that it calls to install the  Ricoh Printer Agent. RXOP uses Log4J version 1.2.17 and as such it is not impacted by the vulnerability.



Celiveo Ricoh Printer Agent


    Celiveo Ricoh Printer Agent It uses Log4J version 1.2.17 and as such it is not impacted by the vulnerability.



Celiveo SAP Connector


    Celiveo  SAP Connector is a connector add-on for Celiveo 8 and Celiveo 8R, it is  not distributed as part of the main product, it needs to be downloaded  and installed on top of the existing Celiveo  / SAP installation, the SAP Connector uses Log4J version 1.2.17 and as such it is not impacted by the vulnerability.


 

CVE-2021-44228 / Log4Shell Reports


    There’re some vulnerability identification software that is wrongly indicating that version 1.2.17 is impacted, which is not. The information about CVE-2021-44228 / Log4Shell and exploitable versions is available on the original exploit report at NVD - CVE-2021-44228 (nist.gov)