Site search
Interested?
Schedule a consultation.
Or call us, (800) 517-3943.
We're here to help!
Log4j/Log4Shell/CVE-2021-44228

Apache Log4j is a Java-based logging utility. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks.

Log4Shell, also known by its  CVE number CVE-2021-44228, is a  zero-day arbitrary code execution vulnerability in popular Java logging framework Log4j. [2]  [3]The vulnerability was disclosed to Apache by Alibaba 's Cloud Security Team on 24 November 2021 and published on 9 December 2021.  [1]  [4]  [5]

Relation to the VSys family of tools

No aspect of VSys One is affected by Log4j/Log4Shell. Various VSys tools such as VSys Live, VSys Live Kiosk and VSys Anywhere use Apache HTTP Server. The Apache HTTP Server itself is not written in Java, it does not use the log4j library, so it is not affected by CVE-2021-44228. None of the VSys Live tools make use of or install any tool that uses Log4j, nor do they make use of or install Java in any form.

CVE-2021-44224

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

Relation to the VSys family of tools

Certain versions of VSys Live, VSys Live Kiosk and VSys Anywhere are potentially subject to this vulnerability. In cases where VSys may be vulnerable, the only risk is that of a direct Denial of Service attach in which the vulnerability is used to crash Apache. There are no information disclosure or remote access concerns for this due to the way that VSys uses Apache.

Remediation

Apache 2.43.52 is being validated and will be deployed to all hosted customer sites within the next 30 days. On-premise customers can contact our support team to update Apache; that update process will take under 30 minutes with minimal downtime.
CVE-2021-44790

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Relation to the VSys family of tools

No version of VSys uses mod_lua and therefore VSys is not affected by this vulnerability.