Article #APP6701
Background
On December 09, 2021, SecureLogix became aware of a recently disclosed security issue in Apache Log4j, a logging tool widely used in consumer and enterprise apps, cloud services, and websites. Other security issues have since been disclosed. These issues are identified as CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832.
SecureLogix has determined that some versions of the PolicyGuru® Solution are using a version of log4j that could be affected by these vulnerabilities. The ETM® System is not affected.
It is important to note that SecureLogix products do not use log4j features associated with the specific vulnerabilities; therefore, we believe the risk to our customers is extremely small. However, SecureLogix will address these vulnerabilities in accordance with CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832.
Steps SecureLogix is Taking
- SecureLogix released a patch for PolicyGuru v2.6 on Friday, December 17, 2021 that addressed the first two CVEs, and released an updated patch that also addressed CVE-2021-45105 (which was disclosed after that date) on Tuesday, December 21, 2021. SecureLogix released an updated patch that also addresses CVE-2021-44832 on January 21, 2022.
- SecureLogix released a patch for v2.5 on Monday, December 20, 2021 that addressed CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. SecureLogix released an updated patch that also addresses CVE-2021-44832 on January 21, 2022.
- SecureLogix released a patch for v3.0.2 on January 20, 2022 that addresses CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832.
Supported PolicyGuru® Solution Versions
Supported versions are PolicyGuru v2.5.x, v2.6.x, and v3.0.2.
See Also
Article #APP5842 provides supplemental information regarding a vulnerability disclosed for log4jv1 (CVE-2021-4104), and explains why that vulnerability does not affect SecureLogix products.
Last Update: 01/21/2022