Apache Log4j Vulnerability

On 12/10/2021 an Apache Log4j zero day vulnerability was announced, illustrating a Log4j exploit that could allow for remote code execution. See https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more information on this vulnerability.

The following table illustrates the impact around each Aviso service:

Service Impact
Aviso Engage (cloud based) Not affected, Logback is used instead of Log4j
Aviso Next (cloud based) Not affected, Logback is used instead of Log4j
Aviso Connect 1 (deprecated) Not affected, an unaffected version of Log4j is used
Aviso Accelerate Not affected, Log4j not used
Apache Drill Not affected, Log4j not used

 

Important: Despite the fact that the Connect services (Connect 1, Accelerate, Drill) are not impacted, these services should still not accept inbound requests from your institutional firewall.

Connect 1 and Accelerate need internet and outbound SFTP access, but should not accept traffic on other ports.

Apache Drill should be run on the same machine as Accelerate and should not accept non-localhost traffic.

Institutions using deprecated inbound connections to Connect 1 will also need inbound HTTPS access. Connect 1 is not affected by the Log4j CVE.

By using this configuration, traffic can be blocked even in the case that zero day vulnerabilities are exposed.

 

traffic.png

 

Articles in this section

See more
How to Contact Support
There are many ways to reach out! Click here for our support options.
Watermark Academy
Click to access the Watermark Academy for consultation, training, and implementation companion courses.
Customer Community
Can’t find the answer? Ask fellow users how they’re making the most of Watermark in our Community!