LOG4J Vulnerability Impact on Axiros Products and Services
This document provides information about Axiros’ products exposure to the recent Log4j vulnerability https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
Axiros is currently investigating if this vulnerability could be relevant in systems using Axiros’ products. We will provide technical conclusions as soon as possible and update this document as new information emerges.
Version Information
1.0 2021-12-13 public document release
Overview by product or service
Details
AXESS ACS
AXESS ACS versions below 4.0 do not use Java based components. In particular they do not include log4j and are not affected.AXESS ACS in version 4.0 (AXESS4) contains ElasticSearch in version 7.15 which is affected by the vulnerability. It can be mitigated by restarting Elastic with the JVM option -Dlog4j2.formatMsgNoLookups=true
AXTRACT
Axtract uses Kafka which leverages log4j v1.2.x which is not affected.
Axtract uses Zookeeper which leverages log4j 1.2x which is not affected.
AXWIFI
AXWIFI leverages ELK 6.5.4 which includes log4j version 2.11.
The issue can be mitigated by starting the JVM with option -Dlog4j2.formatMsgNoLookups=true
DHCP and AX DOCSIS
AX DHCP and AX DOCSIS are affected if used in combination with ELK v7.5.2 which uses log4j v2.11.1. In this case, ELK must be updated to the latest available version.
AX69
Axiros hosted device management solution AX69 has been updated to solve log4j related issues.
Contact
For further questions on the impact of log4j vulnerability on Axiros’ products, please contact dataprotection@axiros.com.
If you have issues or questions on your specific installation, please contact support@axiros.com.