Revised Log4j Vulnerability (CVE-2021-44228)
On 10 December 2021, Synergy SKY became aware of the Log4j vulnerability (CVE-2021-44228) which permits unauthenticated remote code execution (RCE) on any Java application running a vulnerable version of Apache’s Log4j 2 [1]. Synergy SKY has investigated this issue across its Synergy SKY Management Suite as well as its supported legacy applications.
Synergy SKY employs the Log4net component [2] which is not susceptible to the Log4j vulnerability. Customers do not need to update their environments as exploits for Log4j will not work on the Microsoft .NET Log4net component.
Synergy SKY does have the Apache-Zookeeper (v 3.6.2) bundle installed on the server; this bundle contains an earlier version of log4j (v 1.2.17) which is not affected by this vulnerability. No immediate action is necessary regarding the CVE-2021-44228 vulnerability. However, given the latest vulnerabilities discovered for log4j, Synergy SKY is following the situation closely and will upgrade the Zookeeper bundle as soon as a new version with an updated logging framework is made available.
For all questions and concerns, please reach out to support@synergysky.com or your account manager. Security and privacy remain one of the highest priorities at Synergy SKY, and we continue to monitor this situation. If any further updates are needed, they will be posted to this FAQ site.
References
Easterly, J. (2021, December 11). Statement from CISA Director Easterly on Log4j Vulnerability. Cybersecurity and Infrastructure Security Agency. Retrieved from https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability
Nist.gov. (2021, December 10). CVE-2021-44228 Detail. National Vulnerability Database. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Footnotes
[1] The Log4j vulnerability (CVE-2021-44228) permits unauthenticated remote code execution (RCE) on any Java applications running a vulnerable version of Apache’s Log4j 2. It poses a severe risk to those using this version, because it can permit an unauthorized access or complete control over systems when exploited correctly.
[2] The Apache log4net library is a tool to help programmers output log statements to a variety of output targets. log4net is a port of the Apache log4j™ framework to the Microsoft® .NET runtime environment. While similar to Log4j, the .Net runtime version is not part of the current Log4j vulnerability as referenced under CVE-2021-44228.
