Important information about the Apache Log4j vulnerability

» View Event Details | Created Wed, 22 Dec 2021 14:05:00 +0000

In Progress On December 14, 2021 a critical security vulnerability, CVE-2021-45046 was disclosed in the widely used logging library Log4j, that is used within PoolParty Semantic Suite. Semantic Web Company (SWC) immediately delivered instructions on the logging configuration to tackle the impact in the current but also previous PoolParty versions. This fix has also been deployed on our whole cloud infrastructure. To finally remediate the issue we just released PoolParty 8.1.4 with log4j 2.16.0 to address the vulnerability in addition with CVE-2021-44228. PoolParty 8.1.4 is available in our download area (https://cloud.semantic-web.at/index.php/login). On December 16, 2021 another critical vulnerability in log4j - CVE-2021-45105 - was disclosed and fixed in Log4j 2.17.0. Our assessment showed that this vulnerability cannot be exploited by the PoolParty interface and by that this is not affecting the PoolParty Semantic Suite. As the issue cannot be exploited our information security team lowered the priority for remediation. With our next bugfix release log4j will be updated to 2.17.0 to remediate the log4j vulnerability. Nevertheless, this could trigger false positive alerts in vulnerability scanners that only look at the log4j dependencies. Apache Solr used in PoolParty PoolParty comes with a built-in Apache Solr server. Solr is also using the log4j library and is also affected by the above vulnerabilities. Since Solr is not directly accessible but only communicates with PoolParty Semantic Suite there is no risk that the vulnerabilities can be exploited. Note: For on- premise installation we recommend to make solr only available to PoolParty (localhost) and make sure that the respective port (8983) is not exposed. With PoolParty 8.1.4 we have updated the logging configuration to immediately tackle the impact. With our next bug-fix release we will update Solr to a version that is using log4j 2.17.0. Further Information for on-premise customers can be found here: https://help.poolparty.biz/en/user-guide-for-knowledge-engineers/troubleshooting/apache-log4j-security-vulnerabilities/apache-log4j-security-vulnerabilities-workaround.html
Posted: Wed, 22 Dec 2021 14:05:00 +0000