Log4Shell Vulnerability (CVE-2021-44228) – statement as of February 18, 2021
iCONECT is aware of “Log4Shell” (CVS-2021-44228) vulnerability inside the Apache Log4j v2 library. Apache Log4J is an open-source Java package that allows developers to log activity within applications, including some components of the iCONECT platform. A bad actor could potentially exploit this vulnerability by causing a malicious string to be logged.
How does this impact you?
iCONECT deployments are isolated with restricted access. iCONECT software does not directly utilize Apache Log4J v2, however the platform does have components that depend on or utilize Apache Log4J v2. Most components do not utilize the versions identified with the vulnerability.
We have investigated the 3rd party components with an impacted dependency and at this time believe a direct exploit is not possible.
How is iCONECT addressing this issue?
We’ve released a patch (10.9.1) which will substitute an empty implementation of the impacted JNDI class as a temporary solution while we investigate updating all the instances of Log4J. This could mean a security scanning software that only looks at the version of Log4J would incorrectly identify the component as being vulnerable even after this patch is applied.
We will continue to monitor and work with our 3rd party vendors to implement any changes necessary to mitigate any potential risks to our clients.
iCONECT Support email: firstname.lastname@example.org
iCONECT Support phone: (855) 645-6190 (non-US +1 519-645-6190)