Vunerability in Apache Log4j
Update of 16/12/2021 - 11:16
Hello,
Our teams are currently analyzing the impact of the vulnerability of CVE-2021-44228 Log4Shell/Log4j version 2.x in ProConcept versions 11.1, 11.2 and 11.3
Security flaw details: https://cve.report/CVE-2021-44228
ProConcept code does not use this library. Therefore, the core of the ERP is not impacted in versions 11.1, 11.2 and 11.3. (Earlier versions have not been analyzed)
log4j version 2.x is, however, used in several external components:
1) For all our ProConcept 11.1 Web customers in version > 11.1.R69
- SAP Crystal Report print server
- Workaround: Install the hotfix made available on 15/12/2021 that disables log4j (verify with Customer Support)
2) For our customers who have acquired them
- Oracle BI Oracle BI
While awaiting patches from suppliers, you can reduce the degree of exposure to the vulnerability by ensuring that these components are not accessible from the Internet.
3) Components present in the Oracle database
- Oracle Spatial and Graph
- Trace File Analyzer Collector (TFA)
However, these components are not activated and not used by ProConcept
Supplier information page:
- Moovapps https://mymoovapps.net/actualites/vulnerabilite-dans-apache-log4j
- Oracle https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
Regards,
ProConcept
Versioning
Date | Details | Who |
---|---|---|
16/12/2021 - 11:16 | accuracy of the ProConcept 11.1.R69 version for the WEB version | GSP |