Latest news (16:46)
- XperienCentral's core is not vulnerable. See the 15:38 update.
- Should you still need a patch or upgrade to be sure, contact Customer Services. See the 16:44 update
16 mei 2023, 14:22 uur
Notification received. First notifier informed of investigation started from Product, System Administration, Consultancy, Data Protection Officer and Customer Services. GX Software is investigating the impact of the notification and whether it impacts XperienCentral.
System Administration and Solutions Architects informed for triage. Management informed.
Start of this article in English and Dutch. Through this page we will keep you updated on our research, results, recommendations and actions.
Scaling up to Product Group and Business Architects.
It is as yet unknown whether this vulnerability will impact XperienCentral. As soon as more is known about this, substantive information will be posted here.
We note that the vulnerability was introduced by the search engine (named SOLR). SOLR 8.11.1 is included and SOLR itself states that the vulnerability is not exploitable (https://solr.apache.org/security.html). The priority of the issue has thus dropped slightly.
When Log4J became public, it was already figured out that the vulnerable 2.16.0. could do no harm. Its misuse is not possible in XperienCentral, as Log4J is implemented within SOLR in an alternative way (which prevents misuse).
16:44 - conclusion
XperienCentral is not vulnerable to CVE-2021-44832. During the implementation of Log4J in XperienCental, choices were made that resulted in the vulnerability not affecting XperienCental. On the other hand, we can imagine that there are organisations that would like to have their Production installation patched just to be on the safe side. This is possible.
Installing the patch does not involve any risks. If you are interested in this, please contact GX Customer Services or any GX person you speak to soon. Our people will be happy to help you with it.
In our recent release (at the time of writing this is (R40), care has been taken to use a modified version of SOLR so that this issue cannot manifest itself in any way. Again; if you want to update, please contact Customer Services or any GX person you speak to soon.
We hereby also close this live blog. Nevertheless, if you still need information from GX, please contact Customer Services.