Log4J Vulnerabilities and Impacts on Viakoo Customers
December 22nd, 2021
Viakoo customers are not at risk due to Log4J and their use of the Viakoo Agents installed in their infrastructure, from their use of the Viakoo hosted service or from Viakoo OnPremises service.
Log4J 2 has some highly visible vulnerabilities recently but none are currently in the version of Log4J Viakoo uses. The version that Viakoo does use (1.2.17) has a class that has a known vulnerability but this class is not used by the Viakoo system.
Vulnerabilities Revealed in Log4J 2.0-2.16
In the last ten days, a set of critical vulnerabilities were associated with Log4J, primarily around the exploitive use of the “Lookup” feature in version 2.x of the package.
- CVE-2021-44228 affecting 2.0-2.12.1 and 2.13-2.15 versions allowing a hacker to inject executable code through log-stream processing leveraging lookup feature. This feature was removed in 2.16 systems. (vulnerability score of 9.3)
- CVE-2021-45105 affects 2.16 and allows an attacker to cause an infinite recursion, thereby creating a denial of service. This has been fixed in 2.17. (vulnerability score of 5.0)
Viakoo's Use of Log4J 1.2.17
Viakoo Agents use Log4j 1.2.17 which pre-dates the "Lookup" feature. As a result, this version does not contain either of these issues and doesn't require an immediate patch. Log4j 1.2.17 does contain the following problems:
- CVE-2019-17571 affecting 1.2 through 1.2.17 versions allows for deserialization when using the SocketServer class. (vulnerability score of 7.5)
Viakoo’s use of Log4j 1.2.17 explicitly avoids using this SocketServer class. There are no other known issues of note for this version.
For these reasons, customers are not vulnerable to aforementioned issues in their use of Viakoo agents prior to this release or hereafter.
Of the issues reported against Log4J, Viakoo customers are unaffected. We will continue to monitor the situation and respond accordingly.
If you have questions related to either of these issues, please contact us at email@example.com