Statement about CVE-2021-44228 Log4j vulnerability concerning i-net software products

GerryWeissbach · December 11, 2021, 10:10am

Are i-net software products vulnerable against the critical RCE CVE-2021-44228 in Log4j, disclosed on 12/10/2021?

Answer

In short: products released by i-net software are not affected by the vulnerability.

Description

The vulnerability only affects Log4j versions 2.0 until 2.14.1 (see https://www.lunasec.io/docs/blog/log4j-zero-day/) - none of which were ever used by i-net software products in the first place. We did use version 1.2.17 starting 10/2015 until 05/2020 for minor functions without direct web parameter input.

Additionally, only Java versions earlier than 8u191 and 11.0.1 are affected as per description. i-net software had to publish a security release in April 2020 which included the then current Java version 11.0.7 for all products that are shipped with a Java 11 VM - specifically: i-net HelpDesk 8.2.374 and newer, i-net PDFC 5.1 and newer, i-net Clear Reports 17.1 and newer. Earlier product versions from the April 2020 security release that include the Java 8 VM did ship 1.8.0_211 for Windows installers and 1.8.0.191 for macOS installers.

That means, that product releases newer than and including version 20.10 have no reference to log4j whatsoever. Versions prior to 20.10 are not affected due to a previous version of Log4j being used - even though an affected Java VM may be used.

Advisory

Even though no products released by i-net software are directly affected by the disclosed critical RCE CVE-2021-44228 of Log4j it is advised to update to the latest released minor versions. Keeping your installations up-to-date with our latest supported major versions ensures that you benefit from our latest security patches.

GerryWeissbach · December 13, 2021, 11:37am

Update

Previous versions of i-net software products required custom Java installations. Customers have to make sure that they have been updated to Java Versions later than (including) 8u191 or 11.0.1 accordingly. This includes any server or client installations, such as the i-net Designer or i-net HelpDesk Standalone Client.

GerryWeissbach · December 14, 2021, 4:34pm

Update (2021-12-14)

As stated above, log4j 1.2.15 and 1.2.17 were used in earlier versions of our product releases. As per this statement there is a potential issue when embedding earlier i-net Clear Reports or i-net PDFC releases in custom products while using a JMS Adapter implementation.

This issue can be mitigated by updating to versions newer or equal 20.10 of respective products since no log4j is present in them anymore.

Please note that replacing the embedded log4j 1.x with a more recent log4j 2.15.0 or newer is not possible due to API incompatibilities.

GerryWeissbach · December 29, 2021, 7:48am

Update (2021-12-29)

As stated above, earlier product version included log4j 1.x which as of CVE-2021-4104 is vulnerable when specifically configured to use JMSAppender, which is not the default.

i-net software does not configure the JMSAdapater. Customers embedding our products or using them in OEM environments have to make sure, not to configure the JMSAdapter on their side.

However: as of this statement the version 21.10 of every product was publicly released and is not vulnerable to any log4j issues. We encourage our customers to update to the latest version.