Log4J / Log4Shell vulnerabilities

Update 3 :

Atempo are aware of these CVEs, has completed the verification, and was able to conclude that Atempo product are not impacted by this. Below, you can find more details:

CVE-2022-23302: A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSSink and to the attacker’s JNDI LDAP endpoint.
- Not Impacted
CVE-2022-23307: A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.
- Not Impacted
CVE-2022-23305: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converted from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs.
- Not Impacted

Update 2 :

ATEMPO products are also not impacted by CVE-2021-45104

Update :

ATEMPO products are also not impacted by CVE-2021-45105 and CVE-2021-45046

About the Log4Shell vulnerability

A zero-day vulnerability “Log4Shell” (CVE-2021-44228) has been disclosed on 9 December 2021 and is already actively being exploited.

Are ATEMPO products affected by this vulnerability?

Investigation has concluded that ATEMPO products are not impacted by the Log4Shell vulnerability.

MIRIA
LINA
ADE
TINA

We have checked the use of the affected software components for all Atempo products. This applies to the entire product range for both current and out-of-date versions.

To learn more about the CVE:

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Log4J / Log4Shell vulnerabilities

Update 3 :

Update 2 :

Update :

Categories

Articles / Posts

Archives

Contact