On December 9, 2021 a security vulnerability in an open-source library called Log4J was made public. Log4j is an open-source, Java-based logging library widely used by enterprise applications and cloud services (most often in Java-based applications).
If exploited, this vulnerability allows remote code execution on vulnerable servers, giving an attacker the ability to import malware that allows taking control of targeted systems.
This vulnerability is not unique to OpenText™’s software and could be present in other software that you use in your business as well. We encourage your internal team to examine the impact of this security issue on other vendor software you may be using.
What Log4J versions are affected?
Affected are Log4J versions 2.0 beta 9 through 2.14.1 (CVE-2021-44228). The affected log4j.jar file would have dates from 2013-09-14 to 2021-03-12). Apache released a version last week which fixes the issue, version 2.15.0 (dated 2021-12-06).
Prior versions of Log4j, versions 1.0, 1.1, 1.2 are not affected. The vulnerability is based on a bug in a lookup mechanism, which fails to sanitize URL queries that it eventually executes. Log4j version 1.x doesn’t have a lookup mechanism. Instead, it uses events with encapsulated strings. So it can’t execute malicious log messages that are sent to it.
Examples of OpenText™ applications that use Log4J
Here are some examples of OpenText™ applications that use Log4J. Please note the below examples are provided for information purposes only. This subject should be investigated by your security team.
- OpenText™ StreamServe v. 5.x
- StreamServe v. 5.6.1 – StreamStudio uses log4j v. 1.2.14
- StreamServe v. 5.6.2 – StreamStudio uses log4j v. 1.2.14 and and v. 1.2.15.
- OpenText™ Exstream v. 16.x
- OTDS v. 16.4 appears to use log4j 1.2.17
- OpenText Exstream 16.4
- SOLR integration utility appears to use log4j v. 1.2.17
- StreamServe engine appears to use log4j v. 1.2.13
- Exstream engine appears to use log4j v. 1.2.17
What should you do?
According to CISA, affected users and administrators are encouraged to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately. Everything that uses the affected library versions must be tested with the fixed version in place.
If you need assistance with your OpenText™ applications, as part of the Log4j security fix engagement, feel free to reach out to us. Meanwhile, we at Ecodocx continue to monitor the situation and will keep you apprised of any important updates. We are partners in your success and will continue to communicate any new information as it develops.