SecureLogix Response to Apache Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105

Article #APP6701

Background

On December 09, 2021, SecureLogix became aware of a recently disclosed security issue in Apache Log4j, a logging tool widely used in consumer and enterprise apps, cloud services, and websites. Other security issues have since been disclosed. These issues are identified as CVE-2021-44228,  CVE-2021-45046, and CVE-2021-45105.

SecureLogix has determined that some versions of the PolicyGuru® Solution are using a version of log4j that could be affected by these vulnerabilities. The ETM® System is not affected.

It is important to note that SecureLogix products do not use log4j features associated with the specific vulnerability; therefore, we believe the risk to our customers is extremely small. However,, SecureLogix will address these vulnerabilities in accordance with CVE-2021-44228,  CVE-2021-45046, and CVE-2021-45105.

Steps SecureLogix is Taking

  • SecureLogix released a patch for PolicyGuru v2.6 on Friday, December 17, 2021, that addressed the first two CVEs, and released an updated patch that also addresses CVE-2021-45105 (which was disclosed after that date) on Tuesday, December 21, 2021.
  • SecureLogix released a patch for v2.5 on Monday, December 20, 2021 that addresses all 3 CVEs.
  • SecureLogix is currently testing a patch for v3.0.2 to address all 3 CVEs and will make that patch available within the next 10 days.

Supported PolicyGuru® Solution Versions

Supported versions are PolicyGuru v2.5.x, v2.6.x, and v3.0.2.

See Also

Article #APP5842 provides supplemental information regarding a vulnerability disclosed for log4jv1 (CVE-2021-4104), and explains why that vulnerability does not affect SecureLogix products.

Last Update: 01/12/2022

Published on December 12, 2021  |  Updated on January 12, 2022

Article Attachments

Related Articles

Need Support?
Can't find the answer you're looking for? Don't worry we're here to help!
CONTACT SUPPORT