[appsuite-announce] Open-Xchange Statement on log4j vulnerability CVE-2021-44228
Open-Xchange App Suite Maintenance Announcements
appsuite-announce at open-xchange.com
Thu Dec 16 10:02:20 CET 2021
Dear Customers of Open-Xchange,
on Friday December 10th, Open-Xchange and many others became aware of a critical severity zero-day exploit known as “Log4Shell” in the Log4j library, which is widely used in numerous systems around the internet. We have analyzed the impact on OX App Suite and OX Cloud in great detail and conclude that it is not susceptible to this vulnerability. We use SLF4j as a logging frontend and Logback as a logging backend since version 7.4.2. Those do not share code with log4j-core and based on current knowledge are not vulnerable to CVE-2021-44228 aka. "Log4Shell". For technical details, see: http://mailman.qos.ch/pipermail/announce/2021/000163.html
Your operational environment may however use other services that are vulnerable and could affect overall system security. We strongly suggest performing analysis and implement mitigations which have been publicly communicated by the log4j team and affected vendors.
In the wake of the CVE-2021-44228 "Log4Shell" vulnerability, the Logback project has identified a vulnerability that is similar at first sight, even though the likelihood of successful exploitation is minimal. It is being tracked as https://jira.qos.ch/browse/LOGBACK-1591
OX App Suite and OX Cloud use Logback and are theoretically impacted by LOGBACK-1591. We have started the process to provide updates for affected and supported versions as a precaution. It is however critical to understand that this vulnerability can only be abused if the default configuration got altered AND an adversary has privileged access to the system running OX App Suite. In that scenario, the service would already be compromised even before exploiting LOGBACK-1591.
Our default configuration is not impacted and based on current knowledge, there is no need to implement mitigations, other than making sure no unauthorized changes are performed to the configuration. For more technical details, please see: http://mailman.qos.ch/pipermail/announce/2021/000164.html
Best regards,
Your Open-Xchange Team
-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Carsten Dirks, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Bernhard Wöbker
European Office:
Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718
Managing Director: Manuel Engel
US Office:
Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA
-------------------------------------------------------------------------------------
More information about the appsuite-announce
mailing list