Introduction
Some NEC products and solutions include a version of the logging component “log4j” which is now known to have severe security vulnerabilities. The vulnerabilities may be mitigated by various actions. This article lists the known vulnerability status at time of writing and is intended to be useful to NEC partners and customers. It is updated as new information becomes known to NEC
On December 10, 2021, NIST announced a critical security issue in log4j, a widely-used software component for logging. For more information, see the NIST detail entry:
CVE-2021-44228: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial-of-service attack
The vulnerability affects Apache Log4j versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. The
vulnerability is sometimes called “log4shell”. Log4j version 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default
Current Products that are Vulnerable
- UNIVERGE 3C Unified Communication Manager
- UNIVERGE BLUE Smart Access
- NOE – UC-SDN