How is Notarius handling the Log4j vulnerability?
On December 10, 2021, details emerged about a critical remote code execution vulnerability in Apache Log4j version 2.14.1, assigned as CVE-2021-44228. Notarius has assessed this vulnerability and determined that it cannot be exploited on any of its products and solutions (CertifiO, CertifiO Manager, EESP, ConsignO Desktop, ConsignO Cloud, ConsignO Server, VerifiO, Hosted HSM, Hosted VDS and related APIs for all products).
As an abundance of precaution, we have also taken the following measures:
- December 10: Updated our Web Application Firewalls (WAFs) to filter out any suspicious request that could be exploited through the Log4j vulnerability
- December 10: Confirmed that none of our logs since December 3rd received a suspicious payload
- December 13: Updated ConsignO Cloud to Log4j version 2.15.0
- December 14 to January 25 : Updated CertifiO Manager and the CertifiO Suite to additional security updates of Log4j.
- July 19, 2022: False positives could be reported by some detection tools relying only on the name "log4j" without reference to the version number of the library contained within our products. The product versions available on our download page contain the published libraries addressing the vulnerabilities.
Our systems are currently running recent versions of Log4j. Although none of the vulnerabilities identified can be exploited on our products, we are closely monitoring this issue and will issue product updates as necessary.