log4j usage in modules?
marting
Posts: 20
In light of this recent vulnerability, which seems to be pretty critical, does anyone know if any of the AMX-provided modules use this library?
4
Comments
Martin,
We are reviewing our repositories to understand what, if any, exposure we have and if remedial actions are needed.
Martin - here is the official AMX response:
A zero-day vulnerability was identified in the Apache Log4j logging software on Friday December 10th 2021 (CVE-2021-44228). A related log4j vulnerability was identified on Tuesday December 14th 2021 (CVE-2021-45046). These vulnerabilities could allow bad actors to take control of organizational networks. AMX has assessed all AMX products and services for usage of the Log4j logging software and has concluded that there is no risk of exposure to the Apache Log4j vulnerabilities described by CVE-2021-44228 or CVE-2021-45046.
Dear Chris,
While the NX controler starts a message jumps in my eyes..
Line 9 2021-12-20 (23:58:07):: log4j:WARN No appenders could be found for logger (org.apache.security.juice.provider.JDKDigestSignatureOpenSSL).
Line 10 2021-12-20 (23:58:07):: Memory Available = 472907776 <364544>
Line 11 2021-12-20 (23:58:07):: log4j:WARN Please initialize the log4j system properly.
....
what happen with this?
Thomas,
I am unsure of your firmware version, or what is contained in your program. The RMS SDK does leverage log4j, but is a very old version (v1.2.17) and outside of the vulnerability range of 2.0-2.15 that is identified in CVE-2021-44228 or CVE-2021-45046.
Hi Thomas - what master firmware and Duet modules are running on that system?
It's in master firmware 1.6.179 as a minimum. One of our clients emailed me the same thing as posted by @thomas.jud and was asking for more info on the matter. No Duet modules were running
I will report the finding back to engineering and seek to have them identify the version in use. If RMS SDK is an indication, it is likely very old and not affected - but we should not assume. We will look to get you an answer.
Its in the Master 1.6.179
No duet and on rms integration
The 1.6x branch of controller firmware leverages an open source SSL provider that included log4j v1.2.9 which is not impacted by the recent vulnerability found in log4j versions 2.0-2.15. The 1.8x branch of firmware does not leverage the same java security provider, and to my knowledge, does not leverage any version of log4j.