Zum Hauptinhalt gehen

Apache Log4j vulnerability CVE-2021-44228 

Kommentare

10 Kommentare

  • Mark Peacey

    Does this mean Log4J is in Geocortex Essentials and Geocortex Analytics but is an older version? If so what versions are Geocortex Essentials and Analytics using?

     

    Thanks

    0
  • Malcolm Walker
    • Community-Manager

    Hi Mark,

    Log4j 1.2.17 is used by all supported versions of Geocortex Essentials and Geocortex Analytics. This version is confirmed to be not vulnerable to the Log4Shell attack. While this 1.x library is no longer supported by the open source community, it does not impose a security vulnerability to applications that use it. As VertiGIS reviews 3rd party dependencies on open source products, we make decisions to upgrade those when doing so would resolve an issue (either security related or otherwise), provide additional value in the product offering, or enable us to better support our customers. We continue to provide support for Geocortex offerings that may reference open source libraries that are no longer supported by the community, and we are not aware of security vulnerabilities or value propositions that would necessitate an upgrade of those libraries.

     

    Regards,

    -Malcolm

    0
  • Permanently deleted user

    Hi,

     

    If we have external WAN to LAN rule in place to allow Geocortex Essentials sites to show externally. With these sites pointing to internal mapping services on ESRI 10.4.1 application server. Is there impact/risk on the apache/log4j service on the ESRI 10.4.1 server that is vulnerable from allowing rule to show geocortex sites external with 10.4.1 map services in it ?

     

    Thanks

    0
  • Permanently deleted user

    Hello,

     

    While checking our vulnerability, our IT department discovered an older vulnerability for Log4J 1.2. Is this a security risk for using Geocortex products?

     

    https://nvd.nist.gov/vuln/detail/CVE-2019-17571

     

    Regards,

    Geert

     

    0
  • David Wright

    @Malcolm Walker? the post from @Geert Claessens? raises a very valid question; since the version IN USE is also compromised.

    0
  • Stefan Schweigert

    Hi All,

     

    We have also conducted internal testing of all Geocortex products and though the log4j library is included in Geocortex Core, it does not reference the library in a way that could be vulnerable, as confirmed by code reviews and execution of a vulnerability scanner.

     

    Thanks, Stefan

    0
  • Permanently deleted user

    Hi @Stefan Schweigert?, may I just confirm explicitly that when you say "this library" in your above post that you are referring to the 1.x library.

     

    Thank you,

    Vanessa

    0
  • Stefan Schweigert

    Hi Vanessa,

     

    Yes, that's correct.

     

    Thanks, Stefan

    0
  • Permanently deleted user

    Given the recent additional vulnerabilities discovered in Log4j - Does VertiGIS still believe that Geocortex Essentials is not vulnerable to a Log4j exploit? Can Log4j be uninstalled from Geocortex Essentials? If not - can Log4j be upgraded to 2.17.0?

     

    Thanks, Dan

    0
  • Stefan Schweigert

    Hi Dan,

     

    We've re-run our security tests after the announcement about 2.16 and again found no issues with the version currently in use by Core.

     

    Thanks, Stefan

    1

Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.