ComplianceNow and the Log4j vulnerability

The log4j vulnerability

Inhaltsverzeichnis

Potential risks in their own system landscape. ComplianceNow has performed a thorough analysis of our products and found that the log4j has been used in certain versions of our software. We have reached out to all our affected customers directly, but for additional information on how the log4j component has been used and which actions are needed to secure the ComplianceNow suite we have compiled this information.

Summery

On December 9, 2021, a new critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed that, if exploited, could result in Remote Code Execution (RCE) by logging a certain string on affected installations.

This specific vulnerability has been assigned CVE-2021-44228 and is also being commonly referred to as “Log4Shell” in various blogs and reports. Versions of the library said to be affected are versions 2.0-beta 9 to 2.14.1

Impact

The log4j library is actively used in the ComplianceNow suite for minor operations. The affected versions of the ComplianceNow suite are version 5.2.6 releases between and including 10945 and 11688.

The log4j library is not directly available through any web requests and is only used internally in the code when generating Excel files, which is done in a separate sandboxed process. We have not been able to replicate any such attack on our servers and does not consider ComplianceNow installations exposed. We do however encourage that the libraries are updated to a version that does not contain the mentioned exploit, so everyone can rest easy knowing that the flawed code is not even present on the server.

How would I know if I am affected?

If you are using either Authorization Process Manager (APM), Usage Monitor (UM), Access Control (AC) or Internal Control (IC) you can access the application to verify your actual application version. The “about” tab which is the first view of the application, contains the version and release numbers.

The version is the first number and the release is the number encapsulated by paranthesis.

Protection

ComplianceNow has been working on identifying a solution that will ensure no vulnerabilities exist in the ComplainceNow server located on your premises. The resolution will need to be performed by following the steps below:

  1. Identify the current log4j libraries in your application folder
    \ComplianceNow\CNSuite\Java\lib\apache\
  2. Delete the 2 files from the folder
    log4j-api-2.14.0.jar
    log4j-core-2.14.0.jar
  3. Download the log4j version 2.17.1 files and unpack them to the same folder
    https://acsol-packages.s3.eu-west-1.amazonaws.com/3rdParty/ComplianceNow-log4j-2.17.1.zip
  4. Restart the Apache service on your server

Additional information

https://logging.apache.org/log4j/2.x/security.html

If you have any further questions, don’t hesitate to contact our support team.

Sincerely,
ComplianceNow

Interested to learn more….?

We always look forward presenting our CN Suite to present customers, possible new customers, partners and network. So, if you want to learn more, have questions or would like to see a live demo of CN Suite please contact us.


Follow us on LinkedIn and get instant access to our latest articles and posts on SAP and compliance.

LinkedIn bottom

Contact us!

    I hereby consent to my personal data being collected, processed, and used for the purpose of processing my inquiry. I may revoke my consent anytime without stating my reasons for doing so. More information can be found in our privacy policy.

    Rufen Sie uns an
    +49 6173 3363 000

    Schreiben Sie uns
    info@compliancenow.eu

    International
    Ansprechpartner

    Find your way to our office in Denmark

    Google Maps

    Mit dem Laden der Karte akzeptieren Sie die Datenschutzerklärung von Google.
    Mehr erfahren

    Karte laden

    International
    Meet the Team