Apache has reported several vulnerabilities in the Log4j2 logging framework on 11th December 2021.
Log4j which is used by Java applications that log data has been hit by a 0-day exploit. This 0-day exploit impacts any application that uses Log4j and allows attackers to run malicious code and commands on other systems.
The Log4j v2.13.3 has been found to be susceptible to this 0-day exploit.
Impact on Adeptia Connect and Adeptia Suite:
Adeptia uses log4j v2.13.3 in Adeptia Connect v3.3 and in Adeptia Suite v6.9.9, and later versions. The installation on and above these versions of Adeptia Connect and Suite is impacted by this 0-Day vulnerability.
Adeptia Connect 3.6 and Adeptia Suite 6.9.12 uses log4j 2.17 in which Apache recently discovered some other vulnerability that is fixed in log4j 2.17.1. So it is advisable to upgrade to log4j2.17.1 if you are on these versions.
However, the versions earlier than AC v3.3 and AS v6.9.9 are not impacted and the solution is not needed as it uses the log4j1.7.30 and is not affected by this vulnerability.
Resolution to the Vulnerability:
Upgrading Log4j 2.17.1 in existing versions of Adeptia Connect and Adeptia Suite:
The reported vulnerabilities impact Adeptia Connect versions 3.3, 3.4, 3.5, and 3.6 and Adeptia Suite versions 6.9.9, 6.9.10, 6.9.11, and 6.9.12. To mitigate this threat, Adeptia advises you to follow the instructions given below to upgrade to log4j 2.17.1 in your impacted Adeptia Connect or Adeptia Suite versions.
Instructions for Adeptia Connect 3.4, 3.5, and 3.6 are available in the attached log4j2_fix.pdf.
Instructions for Adeptia Connect 3.3 are available in the attached log4j2_v3_3.pdf.
Instructions for Adeptia Suite 6.9.10, 6.9.11, and 6.9.12 are available in the attached log4j2_fix_AIS.pdf.
Instructions for Adeptia Suite 6.9.9 are available in the attached log4j2_fix_v6.9.9.pdf.