Log4j Patch

wildcat · December 22, 2021, 5:26pm

Our cybersecurity team has requested that we stop using and uninstall Ecatcher until such a time that a patch is available to address the Log4j vulnerability. Does the latest version of Ecatcher address this vulnerability?

hugh_hms · December 22, 2021, 5:29pm

Hi wildcat,

Yes, the latest version of eCatcher addresses the vulnerability. You can download it from our website and read the release notes here.

Best regards,
Hugh

automatisering-heerd · January 19, 2022, 1:18pm

Hi Hugh,

According scan software is the 2.17.0.jar still vurnerable
“C:\Program Files (x86)\eCatcher-Talk2M\log4j-core-2.17.0.jar”,"",“Log4j 2”,“2.17.0”,“CVE-2021-44832”,“VULNERABLE”,"",“2022-01-18 09:49:36”

Are you guy’s aware of this? and will this be fixed?

Regards,
Harold

deryck_hms · January 19, 2022, 1:45pm

Hello,

We will need to check with the development team regarding this. 2.17.0 is one of the recommended versions I am seeing on the apache web page. Log4j – Apache Log4j Security Vulnerabilities

What scan software are you using?

Here are the update notes for eCatcher regarding the log4j vulnerability.

v6.7.8 - 2021/12/22
---------------------------
UPDATE: log4j to version 2.17. Although CVE-2021-45105 is not exploitable with eCatcher 6.7.7, it is a best practice to upgrade log4j version

v6.7.7 - 2021/12/16
FIXED: log4j vulnerability CVE-2021-45046

v6.7.6 - 2021/12/14
---------------------------
FIXED: log4j vulnerability CVE-2021-44228

automatisering-heerd · January 20, 2022, 1:09pm

GitHub - logpresso/CVE-2021-44228-Scanner: Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

deryck_hms · January 20, 2022, 1:09pm

deryck_hms · January 20, 2022, 1:42pm

Checking with the development team we are not concerned by this vulnerability but we will update our libraries in our continuous build and release processes.

automatisering-heerd · January 21, 2022, 1:09pm

Why is this topic placed private?

Harold

deryck_hms · January 21, 2022, 1:09pm

deryck_hms · January 21, 2022, 1:27pm

Hello @automatisering-heerd ,

I had set the topic private while I was looking into the issue. It is generally best to avoid making security flaws that could be exploited public.

For more info you can reach out though support.hms-networks.com.

deryck_hms · January 27, 2022, 4:59pm

Hello @automatisering-heerd,

An updated statement for CVE 2021-44832 has been made to our security advisory.
hms-security-advisory-2021-12-13-001—ewon-information-log4shell.pdf (hms-networks.com)

Additional and future security releases can be found here: Cybersecurity 2021 | HMS Networks (hms-networks.com)