On December 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed.
This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE). Because of the widespread use of Java and Log4j, this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.
It is CVE-2021-44228 and affects version 2 of Log4j between versions 2.0-beta-9 and 2.14.1. It is patched in 2.15.0.
[UPDATE] An additional vulnerability was found in Log4j version 2.15. It is now patched in 2.16.
EveryonePrint Hybrid Cloud Platform (HCP)
EveryonePrint HCP uses Java-based software and Log4j version 2.
Immediately when this vulnerability was discovered and a patched version 2.15 was ready, we implemented it in HCP and are happy to report that it has already been included in a live production of EveryonePrint HCP version 3.18.2 which was released on Saturday, December 11, 2021.
We strongly recommend customers having HCP secondary gateways or running HCP in private clouds, update their HCP installations as soon as possible.
Secondary HCP gateways can be upgraded remotely from within the HCP admin Web UI and the Servers screen under the customer account. More information on updating secondary gateways can be found in documentation section 5.20.1. Remote Update of Secondary Gateways
Customers using private cloud installation can do simple over the top upgrades. More information can be found in section 4.6. Update a server of the documentation.
[UPDATE] HCP 3.18 has been upgraded to log4j version 2.16. Although the vulnerability identified does not affect HCP, our team wants to ensure HCP is up-to-date with the latest security enhancements for the log4j library. We advise all our partners with HCP secondary gateways and HCP private clouds to upgrade to HCP 3.18.3.
EveryonePrint also uses Java-based software, but Log4j version 1. This version is not vulnerable to the CVE-2021-44228, however, an upgrade to Log4j 2.16 is being investigated.
[UPDATE from 21 December 2021] EveryonePrint also uses Java-based software, but Log4j version 1. This version is not vulnerable to the vulnerabilities identified in log4j versions 2.15-2.17 and does not require an upgrade.
Related Knowledge Base Articles
Click the links below to learn more about the Log4j vulnerability:
Timeline and Release Update:
- 11 December 2021: CVE-2021-44228 / log4j version 2.15 / HCP 3.18.2
- 17 December 2021: CVE-2021-45046 / log4j version 2.16 / HCP 3.18.3
- 21 December 2021: CVE-2021-45105 / log4j version 2.17 / HCP 3.18.4