Updates on the Apache Log4j 2.x vulnerabilities(CVE-2021-44228、 CVE-2021-45046、CVE-2021-45105)

On December 9, 2021, Apache Log4j was revealed to have a major risk vulnerability , Log4Shell, with the vulnerability number CVE-2021-44228. By utilizing this vulnerability, impacting Apache Log4j 2 versions 2.0 to 2.14.1, a remote attacker could take control of the affected system. Security experts call it the most serious vulnerability in the past 10 years.

A few days after the fix to Log4Shell was published, another feature of Log4j was discovered as prone to exploits, and its vulnerability was given the formal ID of CVE-2021-45046 and CVE-2021-45105.

WISE-PaaS products impacted by the vulnerabilities

Products Impacted

• WISE-IoTSuite/AppHub : Fixed on 2021/12/31

  • Version 1.0.3 of local/virtual machine version have been updated and published on 2021/12/31, the latest version has deprecated the usage of log4j.
    • Local/virtual machine version below 1.0.2 is impact by the vulnerability.
  • Version 1.0.2 of EnSaaS version have been updated and published on 2021/12/31, the latest version has deprecated the usage of log4j.
    • Public cloud version below 1.0.1 is impact by the vulnerability.

• WISE-InsightAPM : Fixed on 2021/12/23

  • Version 3.9.3 have been updated and published on 2021/12/23, the latest version has deprecated the usage of log4j.
    • apm-push and apm-report were using log4j before version 3.9.3 and is impact by the vulnerability.

Products not Impacted

• WISE-IoTSuite
  • WISE-IoTSuite/Dashboard
  • WISE-IoTSuite/SaaS Composer
  • WISE-IoTSuite/Notification
  • WISE-IoTSuite/DataHub
  • WISE-IoTSuite/IoT Hub
  • WISE-IoTSuite/IoT Edge
• WISE-InsightAPM
  • WISE-InsightAPM/VideoService
  • WISE-InsightAPM/VPN
  • WISE-InsightAPM/OTA2.0
  • WISE-InsightAPM/Patrol Inspection
  • MachineUnite
• WISE-EnSaaS
  • WISE-EnSaaS/KubeEnSaaS
  • WISE-EnSaaS/SSO
  • WISE-EnSaaS/InfluxDB
  • WISE-EnSaaS/MongoDB
  • WISE-EnSaaS/PostgreSQL
  • WISE-EnSaaS/RabbitMQ
  • WISE-EnSaaS/Event Hub
  • WISE-EnSaaS/Secure Tunnel
  • WISE-EnSaaS/Config Mgmt.
  • WISE-EnSaaS/License Manager
• WISE-DataInsight
  • WISE-DataInsight/DataSync
• WISE-AIFS
  • WISE-AIFS/Development Service
  • WISE-AIFS/AutoML
  • WISE-AIFS/ Evolution
  • WISE-AIFS/Resource Management
  • WISE-AIFS/PHM
  • WISE-AIFS/Medical Imaging
• iBuilding
  • iBuilding/BEMS

User update guidance

• WISE-InsightAPM

  • How to check the versions：Login to WISE-InsightAPM Portal, and check the version below the menu.
  • The latest 3.9.3 version of WISE-InsightAPM has been published on HZ and SA site.
    • Public cloud users can update online directly to latest version.
  • Private cloud users, please fill in Service Request Form or contact our sales for further informations.

• WISE-IoTSuite/AppHub

  • How to check the versions：In APPHub Manager, click on “about” at the top right to see the verion.
    • AppHub WISE-PaaS public/private cloud version：Update through EnSaaS Catalog.
    • AppHub local/virtual machine version：Using latest AppHub docker image to update.
  • Please contact Jianfeng.dai@advantech.com.cnor contact our sales for further informations.