Notices2021-12-21

[Notice] Guidance on Apache Log4j Vulnerability

Guidance on Apache Log4j Vulnerability

We would like to inform you about our response policy regarding the Apache Log4j vulnerability. For customers using affected product lines and versions, we plan to urgently coordinate with them to apply an update patch to the latest version of log4j. Please refer to the contents of the announcement below, and if you have any questions, please contact us at the following contact points. ※ Contact for inquiries regarding Log4j vulnerability response ☏ (Main Phone) 1800-6713 ☞ Website Inquiry Form Implementation Date: December 21, 2021 To: Seculayer Inc. All Customers Subject: Notice Regarding Apache Log4j Vulnerability from the Manufacturer

  1. We wish your company continued success.

  2. We would like to inform you about the manufacturer's policy regarding the recently reported Apache Log4j vulnerability.

- Below -

A. Overview o We provide information on the impact of the Apache Log4j vulnerability on our products and our response measures. B. Log4j Vulnerability Information by Version o Log4j v2.x - Log4Shell vulnerability (CVE-2021-44228), denial of service vulnerabilities (CVE-2021-45046, CVE-2021-45105) exist o Log4j v1.2.x - Denial of service vulnerability (CVE-2021-44228) exists (no impact if JMSAppender is not used) ※ Please refer to our report on Log4j vulnerabilities: https://github.com/seculayer/Log4j-Vulnerability

C. Impact on Our Products o Vulnerability status by product and version

Product Line Target Version Log4j Version Vulnerability Status eyeCloudAI v2.x v1.2.x No issues v3.x v2.13.0 Vulnerability exists eyeCloudSIM All Versions v1.2.x No issues eyeCloudXOAR All Versions v1.2.x No issues BlueBird All Versions v1.2.x Issues exist

D. Response Measures o For customers using affected product lines and versions, we plan to urgently coordinate with them to apply an update patch to the latest version of log4j. o For log4j version 1.x, due to the cessation of additional upgrade support, there is a possibility of exposure to other security threats, so we plan to apply the latest version update (customer consultation needed considering maintenance schedule).

CEO Jeon Joo-ho, Seculayer Inc.

Back to List