Log4j Vulnerability (CVE-2021-44228)

This statement sets out our response to the Log4j vulnerability of 2021

This statement is applicable to all products supported by FMI Works

Background

In 2021, security researchers discovered a vulnerability with the log4j component and they have assigned their highest severity, CVSS 10, to this new vulnerability.  Security researchers have been working the Apache Foundation, the author of log4j to remediate this vulnerability.

This vulnerability has been fixed in version 2.15 of log4j and configuration change can also remediate this issue in earlier versions.  In late 2021, exploits using this vulnerability have been detected.  Log4j is a component that is used within the Java Framework running on Apache web servers.  This has been assigned code CVE-2021-44228 and has been reported by the Apache Foundation as a known vulnerability

Products affected

FMI Works products are unaffected by this vulnerability.  Our products are designed to run on IIS using the .NET Framework and either Log4Net or Serilog.  The log4net product is an equivalent style of product as log4j but does not use the same source code.  The log4net product does not have this vulnerability as reported by the Apache Foundation.

As they do not use the log4j component or any of its dependencies, the following products are unaffected by this vulnerability:

FMI Works, Pulse, All Pulse SPEs, Scout Web, Scout Mobile, Sapphire, Capture, and all APIs supporting the above products:

One of our products, however, uses technology licensed from a third-party vendor which does use log4j: 

Corporate Dashboard 

Fortunately, the version of log4J being used by Corporate Dashboard is not on the list of affected versions as listed by Apache

Recommended mitigations

Even though the current installation of Corporate Dashboard is not reported as vulnerable, we additionally recommend and/or have applied the mitigations recommended by Apache – turning off the message lookups.  This is being done as a precaution in case this scope of the known vulnerability expands.  This feature is not used by Corporate Dashboard and turning it off will not affect the functionally of the product. 

For customers with hosted versions of Corporate Dashboard, we have already applied these changes.  For customers running their own Corporate Dashboard, we recommend you work with our services department to implement these additional safeguards. 

Further information