Viakoo Agent Release 2021-3.1 Update
Viakoo Agent Release 2021-3.1 (version 5890 or higher) includes a patched version of Log4j 2 (2.12.4) that eliminates known vulnerabilities.
Previous versions of the Viakoo Agents were using Log4j 1.2.17 which did not contain the problem outlined in CVE-2021-44228. This version had another vulnerability, CVE-2019-17571 in a module that was not used. For these reasons, Viakoo customers were not vulnerable.
That said, to eliminate any question, we are releasing 2021-3.1 Viakoo Agents which contains a patched version of Log4j (version 2.12.4) that eliminates these known vulnerabilities.
Contact your Viakoo support representative to have your sites upgraded or use the installers in the LatestViakooAgents page.
CVE-2021-44228 affecting 2.0-2.12.1 and 2.13-2.15 versions allowing a hacker to inject executable code through log-stream processing leveraging lookup feature. This vulnerability was fixed in 2.3.2 (Java 6), 2.12.4 (Java 7) and 2.16 (Java 8+) versions. (vulnerability score of 9.3)
CVE-2019-17571 affecting 1.2 through 1.2.17 versions allows for deserialization when using the SocketServer class. This vulnerability was fixed in Log4j 2 (vulnerability score of 7.5)
Viakoo’s Agents 2021-3 and earlier explicitly avoided using this SocketServer class in Log4j and did not use the Log4j 2 versions with the vulnerable lookup feature. For these reasons, customers running these older versions are not vulnerable to aforementioned issues in their use of Viakoo agents, but may choose to upgrade to 2021-3.1 versions for compliance with internal policies.
If you have any questions, comments, bug reports, or suggestions, please reach out to us through the live-chat feature or contact us at firstname.lastname@example.org.
We love hearing from you!