December 21, 2021
AiRISTA is aware of the Log4j security vulnerability and began an investigation to understand the potential exposure. Based on information available as of December 21, 2021 we believe this vulnerability does not impact our Vision, ARC, or Unified Vision (including sofia) customers.
What is the Log4j?
Log4j is a Java library that was developed by the open-source Apache Software Foundation. It is used for logging error messages in applications, most notably the Apache web server.
What is the vulnerability?
Essentially, hackers exploit a particular lookup pattern and during that exploit, they can insert code that allows them access to other services that are running on the same server. Some of those services may allow them to install crypto-mining malware, take advantage of LDAP servers that may reveal usernames and passwords.
AiRISTA’s use of Log4j
The CVE in question (Common Vulnerability and Exposure) is CVE-2021-44228 and affects versions of Log4j 2 prior to version 2.14.1. AiRISTA does not use these versions in any production versions of its software.
THIS DISCLOSURE IS BASED ON INFORMATION PROVIDED BY LOG4J. AIRISTA IS RELYING ON THE TESTING AND DISCLOSURES MADE BY LOG4J AND HAS NOT INDEPENDENTLY TESTED THE LOG4J VERSION IN THE SYSTEM. CUSTOMER USES THE LOG4J PROVIDED BY AIRISTA AT ITS OWN RISK. AIRISTA DISCLAIMS ANY RESPONSIBILITY OR LIABLITY FOR CUSTOMER’S USE OF LOG4J.
If further assistance is needed, please contact us (CustomerService@airista.com).