On December 9, 2021, a vulnerability was detected in Log4j, an open-source Java logging library maintained by the Apache Software Foundation.
Ongoing analysis has shown that TransForm N 3.x is also partly affected by this vulnerability.
Impact for TransForm N:
|
Affected Log4j version: |
2.0 - 2.14.1 |
|
Impacted: |
no |
|
Information: |
No affected Log4j version used. |
| CVE-2021-4104 | |
| Affected Log4j version: | 1.2.X |
| Impacted: | No |
| Information: |
No usage of JMS Appender. |
| CVE-2019-17571 | |
| Affected Log4j version: | 1.2.X |
| Impacted: | Yes |
| Information: |
TFN is using affected versions of Log4j (1.2.12 - 1.2.17) |
| Mitigation: |
Block the following ports on the CMS Server firewall:
This will disable central logging of the Sidebar Client, the Display Agent, and the Control Panel. In these cases, the logfiles need to be collected manually if needed. More information on how to block these ports can be found in [KB12513] If this mitigation is not feasible in your installation, we recommend isolating the system/devices as much as possible in your network and limiting access to the network where possible. |
| Solution: |
We are currently investigating possible solutions and will update this article when more information is available. Update December 23, 2021: Update January 6, 2022: |
| CVE-2017-5645 | |
| Affected Log4j version: | 2.0 - 2.8.2 |
| Impacted: | No |
| Information: | No affected Log4j version is used. |
To ensure optimal security, we recommend always upgrading to the latest version of TransForm N.
Please be aware that some security scanning tools only verify the version of a component to indicate if it is vulnerable or not. Based on our internal investigation of how the component is used and configured, we indicate if the vulnerability is exploitable or not. (cf. impact statement per CVE identifier in the KB).
Please note that the above article contains preliminary information and will be updated regularly.
