OPSWAT Announces FileScan.IO Asset Acquisition. Read More

log4j Vulnerability Update

Note: OPSWAT is continuing to update this blog post with additional information as it becomes available

Update — Dec. 24, 2021 — 12:30 PM EST

As we continue to monitor the updates and developments surrounding CVE-2021-44228, we are aware of the recent guidance outlined in CVE 2021-45105 which indicates that Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) may not protect from uncontrolled recursion from self-referential lookups which could result in denial of service.

At this time, we do not assess that this update changes any currently published or communicated mitigation steps released regarding CVE 2021-44228.

Should any changes occur, or our assessment changes, we will continue to notify via blog.

If you have any additional questions or concerns, please reach out to us through any of our support channels.

Update — Dec. 15, 2021 — 5 PM EST

As we continue to monitor the updates and developments surrounding CVE-2021-44228, we are aware of the recent guidance outlined in CVE 2021-45046 that addresses the incomplete fix for Apache log4j 2.15.0 in certain non-default configurations.

At this time, we do not assess that this changes any currently published mitigation steps released regarding CVE 2021-44228.

Should any changes occur, or our assessment changes, we will continue to notify via blog.

If you have any additional questions or concerns, please reach out to us through any of our support channels.

Update — Dec. 14, 2021 — 2 PM EST

OPSWAT has completed a full analysis of all OPSWAT products that could be affected by the log4j vulnerability and has not identified any exposure that would impact the safe use of any OPSWAT products or services.

Product recommendations or configurations have been communicated to MetaAccess Cloud, OPSWAT Central Management, and MetaAccess NAC customers and updated on this blog. No product recommendations or configurations are applicable to any of our other products at this time.

If you have any additional questions or concerns, please reach out to us through any of our support channels.

Update — Dec. 13, 2021 — 5 PM EST

We have been reviewing all OPSWAT technologies and packages to determine if any are potentially vulnerable to this exploit.

We have discovered that OPSWAT Central Management (OCM) uses the Apache log4j library as one of its dependencies – but it is important to note that OPSWAT has not identified any exposure to the log4j vulnerability that would impact the safe use of any OPSWAT products or services at this time.

We do recommend customers running OCM version 7.16 or earlier, to upgrade to version 7.17 or newer, and apply a recommended configuration change to mitigate this specific exploit and others that might target the JNDI related log4j capabilities in the future. The mitigation configuration change instructions can be found in this knowledge base article.

If you have any specific questions, please open a support case and let us know in our customer portal.

Should any changes occur, assessment change, we will continue to notify via email and blog.

Update — Dec. 13, 2021 — 12 PM EST

Since our previous update on Dec. 12, 2021, related to the actions we are taking regarding CVE-2021-44228 also known as log4j vulnerability, we have been actively reviewing all OPSWAT technologies and packages to determine if any are potentially vulnerable to this exploit.

Here are the actions that we have already taken to mitigate the risk of the log4j exploit:

  • MetaAccess Cloud: Due to the zero-day vulnerability discovered in the Apache log4j logging library that enables attackers to take control of vulnerable servers (CVE-2021-44228), we have, out of an abundance of caution, applied a recommended configuration change that will reduce the possibility of this specific exploit and others that might target the JNDI related Log4j capabilities in the future. No further action is required from our customers. This was completed with no user impact.

If we determine that any other OPSWAT technology or package could potentially be vulnerable we will notify all affected customers of such as well as any required configuration changes or updates.

It is important to note at the time of this update, OPSWAT has not identified any exposure to the log4j vulnerability that would impact the safe use of any OPSWAT products or services at this time.

Should this assessment change, we will update any affected customers directly.

Should you want to learn more about this specific vulnerability, in addition to the NIST write-up, the SANS Internet Storm Center has released a comprehensive overview at SANS Internet Storm Center. We will provide an update to our review at 5:00 PM EST.

Update December 12, 2021 — 9:45 PM EST

On Friday, December 10, 2021, we, along with the rest of the tech community, received news of an active exploitation of a previously unknown zero-day vulnerability (CVE-2021-44228) in a common component of java-based software, referred to as log4j.

Since notification, we have been actively reviewing all OPSWAT technologies and packages to determine if any are potentially vulnerable to this exploit. Please know this review continues and should we determine that any OPSWAT technology or package could potentially be vulnerable we will notify all affected customers of such as well as any required configuration changes or updates.

We are working through this review as quickly as we can. It is important to note that as of this time, OPSWAT has not assessed any material exposure to the log4j vulnerability that would impact the safe use of any OPSWAT products. Should this assessment change, we will update any affected customers directly.

We will provide an update of our review on December 13, at 12:00PM EST. If you have any additional questions or concerns that you want addressed before then, please reach out to us through any of our support channels.

Should you want to learn more about this specific vulnerability, in addition to the NIST writeup, the SANS Internet Storm Center has released a comprehensive overview at SANS Internet Storm Center.

Thank you for your continued business and partnership!

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.