GX Support
English (US) Nederlands

Articles in this section

See more

CVE-2021-44832

Avatar
Remco de Waard
  • Updated
Follow

Latest news (16:46)

Background

A report has come in of a vulnerability discovered in Log4j. This vulnerability can enable execution of external code in some cases. To resolve this issue, the Apache Software Foundation has released a security update called Log4j 2.17.1. They also call this issue CVE-2021-44832.
Impact
XperienCentral considers the severity of this vulnerability to be lower than previous vulnerabilities in Log4j where external code was executed, because an attacker must have access to the configuration file. Apache itself gives the issue a low rating (https://solr.apache.org/security.html). 

Technische details

XperienCentral uses an external JAR (log4j-core-2.16.0.jar). This JAR contains a vulnerability.

-Timeline-

16 mei 2023, 14:22 uur

Notification received. First notifier informed of investigation started from Product, System Administration, Consultancy, Data Protection Officer and Customer Services. GX Software is investigating the impact of the notification and whether it impacts XperienCentral. 

14:32

System Administration and Solutions Architects informed for triage. Management informed.

14:35

Start of this article in English and Dutch. Through this page we will keep you updated on our research, results, recommendations and actions.

15:12 

Scaling up to Product Group and Business Architects.

15:20

It is as yet unknown whether this vulnerability will impact XperienCentral. As soon as more is known about this, substantive information will be posted here.

15:35

We note that the vulnerability was introduced by the search engine (named SOLR). SOLR 8.11.1 is included and SOLR itself states that the vulnerability is not exploitable (https://solr.apache.org/security.html). The priority of the issue has thus dropped slightly. 

15:38

When Log4J became public, it was already figured out that the vulnerable 2.16.0. could do no harm. Its misuse is not possible in XperienCentral, as Log4J is implemented within SOLR in an alternative way (which prevents misuse).

16:44 - conclusion

XperienCentral is not vulnerable to CVE-2021-44832. During the implementation of Log4J in XperienCental, choices were made that resulted in the vulnerability not affecting XperienCental. On the other hand, we can imagine that there are organisations that would like to have their Production installation patched just to be on the safe side. This is possible.

Patch

Installing the patch does not involve any risks. If you are interested in this, please contact GX Customer Services or any GX person you speak to soon. Our people will be happy to help you with it.

Upgrade

In our recent release (at the time of writing this is (R40), care has been taken to use a modified version of SOLR so that this issue cannot manifest itself in any way. Again; if you want to update, please contact Customer Services or any GX person you speak to soon.

We hereby also close this live blog. Nevertheless, if you still need information from GX, please contact Customer Services.

Related articles

Comments

0 comments

Please sign in to leave a comment.