As of December 14, 2021 at 16:30 Eastern U.S (213014DEC2021Z)
On December 9th, 2021, Apache published a zero-day vulnerability (CVE-2021-44228) related to Apache Log4j referred to as “Log4Shell.” This vulnerability has been classified as “Critical” with a CVSS score of 10 and allows remote code execution with system-level privileges.
Read the full vulnerability notice here.
CSFi has investigated the matter and concluded that the majority of our customers are not using the vulnerable version of Log4j and are not impacted.
How do I know if my SWITCHWARE system is impacted:
- CSFi customers running G4-Web with Solr 8.x using log4j 2 are impacted and should contact CSFi to take action to disable the logging features related to the vulnerability.
- CSFi customers running G4-Web with Solr 5.x using log4j 1.2 are not impacted.
- CSFi customers running all other products (e.g. RTCM, CACM, etc.) are either not using log4j or use older versions that are not impacted.
How do I know which version of Solr I’m using:
CSFi customers operating SWITCHWARE on Red Hat version 8.x (or higher) received the latest Solr 8.x version. If you are running your software on any other operating system, then you are not impacted.