Statement on Log4J vulnerability (CVE-2021-4428)

Avatar

Version française

The major news item over the December 11, 2021 weekend was the report that a critical vulnerability was uncovered in the widespread Log4J logging module. This report had everyone scrambling to find out if their systems were impacted by the issue. Because the exploit allows hackers to execute code remotely on a server, thousands of web sites had to be shut down preventively.

Objectif Lune has run an audit of its own software products to determine if they are vulnerable to this attack. We are pleased to report that none of our current products are exposed to the attack.

More specifically:

ProductUses log4J?
OL ConnectVersions older than 2018.1 used Log4J. From 2018.1 onwards, a different module is used.
PlanetPress SuiteNo
PrintShop Mail SuiteNo
PReS ClassicNo
PReS EnhanceUses Log4J 1.2.16 which cannot be exploited by an attacker.

Some of our customers have reported that their IT teams have found references to the Log4J module in the various folder structures used by our products. These references must not be interpreted as a sign that the module is being used. For instance, the log4j.over.slf4j module simply indicates that any Log4J usage is being redirected to the Slf4J logging framework, which is unaffected by the vulnerability.

To check your version of OL Connect without having to open the application, open a Command Line window (CMD) and copy/paste the following command, then press Enter:

wmic datafile where name="C:\Program Files\Objectif Lune\OL Connect\Connect Server\ServerService.exe" get Version /value

Tagged in: CVE-2021-4428, Log4J, Vulnerability



Leave a Reply

Your email address will not be published. Required fields are marked *