Site search
Interested?
Schedule a consultation.
Or call us, (800) 517-3943.
We're here to help!
Log4j/Log4Shell/CVE-2021-44228

Apache Log4j is a Java-based logging utility. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks.

Log4Shell, also known by its  CVE number CVE-2021-44228, is a  zero-day arbitrary code execution vulnerability in popular Java logging framework Log4j. [2]  [3]The vulnerability was disclosed to Apache by Alibaba 's Cloud Security Team on 24 November 2021 and published on 9 December 2021.  [1]  [4]  [5]

Relation to the VSys family of tools

No aspect of VSys One is affected by Log4j/Log4Shell. Various VSys tools such as VSys Live, VSys Live Kiosk and VSys Anywhere use Apache HTTP Server. The Apache HTTP Server itself is not written in Java, it does not use the log4j library, so it is not affected by CVE-2021-44228. None of the VSys Live tools make use of or install any tool that uses Log4j, nor do they make use of or install Java in any form.

CVE-2021-44224

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

Relation to the VSys family of tools

Certain versions of VSys Live, VSys Live Kiosk and VSys Anywhere are potentially subject to this vulnerability. In cases where VSys may be vulnerable, the only risk is that of a direct Denial of Service attach in which the vulnerability is used to crash Apache. There are no information disclosure or remote access concerns for this due to the way that VSys uses Apache.

Remediation

Apache 2.43.52 is being validated and will be deployed to all hosted customer sites within the next 30 days. On-premise customers can contact our support team to update Apache; that update process will take under 30 minutes with minimal downtime.
CVE-2021-44790

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Relation to the VSys family of tools

No version of VSys uses mod_lua and therefore VSys is not affected by this vulnerability.

CVE-2022-22965 ("Spring4Shell")

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Relation to the VSys family of tools

No version of VSys uses Java in any way, and therefore VSys is not affected by this vulnerability.

Other technologies

Technologies/tools not used by VSys

No version of VSys uses:

  • Java in any form, including Log4j
  • ColdFusion
  • Flash
  • Microsoft Silverlight
  • mod_lua
These modules, plugins, etc. are completely excluded from any VSys installation (VSys One, VSys Live, VSys Live Kiosk, VSys Anywhere) and therefore any vulnerabilities associated with them are not applicable.