Software security is a top priority at GX. The recent notification about the vulnerability found in Log4j has reached our product group quickly. We are currently checking whether there is an impact for XperienCentral and, if so, how we can provide support as soon as possible.
Updates will follow on this page and questions can be asked through the usual Customer Services channel.
A vulnerability has been identified in the "Apache Log4j-tool". This is software that can be used to keep track of application log files. Such a logging tool produces messages such as: "user X tries to load image Y at 11:34 but the image cannot be found". The point of this is to be able to check where an error is when it occurs. (The tool Log4j on Wikipedia).
The leak can be exploited when a malicious person sends a certain code to a website by, for example, entering that code in a text field, such as (but not exclusively) a chat window. This code is then logged by Log4j and also executed. This way, a malicious person can gain access to the website. Of course, this is not the intention. (The Log4Shell vulnerability on Wikipedia)
mentioned times are CET, there can be a slight delay between the Dutch and English published updates due to the necessary translation time.
The results of an initial inventory have shown a preliminary conclusion: XperienCentral itself does not appear to be vulnerable. Our product team, architects and Customer Services are investigating the vulnerability more thoroughly and we expect to come up with a formal statement later today. We are now focusing on specifically developed customizations. As of yet, there are no indications that XperienCentral itself is vulnerable. Technical details will follow.
Customer Services informs all customers about the latest updates with a link towards this page. To prevent excessive e-mail traffic, following updates will be communicated by means of this portal.
XperienCentral has been thoroughly investigated and we can safely say that XperienCentral (add-ons included) does not use any of the vulnerable versions of Log4j, neither are these obtained via so-called 'dependencies'.
The search engine that XperienCentral uses (Solr), works on an older version of Log4j (version v.1.2.17), but this version is not considered to be vulnerable. We are aware that this version was mentioned in the Redhat Customer Portal (https://access.redhat.com/security/cve/CVE-2021-4104). However, this version can only cause issues for a specific configuration: we found that this will not pose a threat for the current context.
In the mean time it became clear that the vulnerability (as of now) is not applicable to the more recent Java-versions:
- For Java 8, versions newer than update 191 (16-10-2018) are safe;
- For Java 11, versions newer than 11.0.1 (16-10-2018) are safe.
The product XperienCentral, including the standard add-ons, is considered safe in regards to the Log4j-vulnerability. This has been investigated based on the currently known 'attack vectors' (and other official information that was available at the time of writing). Needless to say, we will follow the reports in the upcoming days and weeks.
Due to the fact that we now know for certain that XperienCentral itself does not use a vulnerable version of Log4j, we shift our attention to the developed code. We are currently looking into all of the custom features (built by GX Software) for every organization. this is a thorough process, but it is going smoothly. As of now, there are no attackable components found.
If an older Java Version is being used, we advise to pre-emptively upgrade. Java 8 and Java 11 updates from October 16 2018 are secured from a Log4j attack: for Java 8 update 191 or higher is necessary, for Java 11 version 11.0.1 or higher is necessary.
Update 14 December 09:43
The vast majority of customizations (developed by GX) have been investigated. The vulnerability has not been found to date. We expect to be able to give a definitive answer on the last part before noon.
Customer specific add-ons have been checked, the vulnerability has not been found. If any organizations work together with an implementation partner, we advise them to check the customer specific add-ons as well. If extra support is needed, do not hesitate to reach out to Customer Services for best practices.
The analysis of the standard Product-code, as well as the developed customer specific add-ons (by GX) has been finished. We found no reason to believe that either standard- or custom code is vulnerable to the found Log4Shell / Log4J security flaw.
However, if there is any support needed, or if you still have questions: Customer Services is there to help.