On 12/10/2021 an Apache Log4j zero day vulnerability was announced, illustrating a Log4j exploit that could allow for remote code execution. See https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more information on this vulnerability.
The following table illustrates the impact around each Aviso service:
Service | Impact |
Aviso Engage (cloud based) | Not affected, Logback is used instead of Log4j |
Aviso Next (cloud based) | Not affected, Logback is used instead of Log4j |
Aviso Connect 1 (deprecated) | Not affected, an unaffected version of Log4j is used |
Aviso Accelerate | Not affected, Log4j not used |
Apache Drill | Not affected, Log4j not used |
Important: Despite the fact that the Connect services (Connect 1, Accelerate, Drill) are not impacted, these services should still not accept inbound requests from your institutional firewall.
Connect 1 and Accelerate need internet and outbound SFTP access, but should not accept traffic on other ports.
Apache Drill should be run on the same machine as Accelerate and should not accept non-localhost traffic.
Institutions using deprecated inbound connections to Connect 1 will also need inbound HTTPS access. Connect 1 is not affected by the Log4j CVE.
By using this configuration, traffic can be blocked even in the case that zero day vulnerabilities are exposed.