HomeGeneral Information :: General SupportNewsTrumpet's Response to Log4j (aka LogJam) Exploit

2.1. Trumpet's Response to Log4j (aka LogJam) Exploit

On Friday 12/10/2021 at 8:00am PST, we became aware of a new exploit impacting servers across the Internet called LogJam (Vulnerability ID: CVE-2021-44228). The vulnerability itself is in a widely used logging library called Log4j, versions prior to 2.15.0.


What we know

The vulnerability is to inbound requests to software from the public Internet.

Java security patches issued earlier this year contain mitigations that prevent LogJam. Any system running Java with patch at or above 6u211, 7u201, 8u191, and 11.0.1 will not be vulnerable to LogJam.

Based on our evaluation of the threat, for this vulnerability to be an actual risk of being exploited, an application must meet ALL of the following criteria:

  • be accessible from the public Internet
  • use an affected version of the log4j library (anything prior to 2.15.0 is affected)
  • Java must be at patch level below 6u211, 7u201, 8u191, and 11.0.1


What we are doing about it

This article is intended to provide you with our vulnerability assessment and corrective action plan of the impact of LogJam on Trumpet’s products. See table below. Rest assured that we are also evaluating our internal servers (and we recommend that you do as well!).  We've provided links to technical details of this vulnerability at the end of this article for your reference.

Assessments are based on the latest production releases of each product. For maximum security, ensure you are running the latest versions of your Trumpet software.


Application & Production Version #
Vulnerability Assessment
Corrective Action Status
SignatureBridge
(Cloud based, you're on the latest!)
Connected to the public Internet: YES
Uses vulnerable version of Log4j: YES
Uses protected JDK: YES (11.0.13)

Assessment: System not at risk

12/10/21 1:42pm PST

Out of an abundance of caution, we pushed a patch to SignatureBridge that eliminates the vulnerable version of Log4j


Assemblage (to include Emailer Module, Auto Filer, Trumpet Publisher, PDF Splitter)
(2.3.61)

Connected to the public Internet: NO
Uses a vulnerable version of Log4j: YES
Uses a protected JDK: YES (11.0.3)

Assessment: System not at risk


We will be issuing a patch that removes the vulnerable Log4j library in the next two weeks.
Symphony OCR - On Premise
(8.1.0)

Connected to the public Internet: NO
Uses a vulnerable version of Log4j: YES
Uses a protected JDK: YES (11.0.3)

Assessment: System not at risk


We will be issuing a patch that removes the vulnerable Log4j library in the next week.
Symphony OCR - WD Cloud
(8.1.0)

Connected to the public Internet: NO
Uses a vulnerable version of Log4j: YES
Uses a protected JDK: YES (11.0.3)

Assessment: System not at risk


We will be applying a patch that removes the vulnerable Log4j library in the next two weeks.
Symphony Profiler - On Premise
(2.0.62)

Connected to the public Internet: NO
Uses a vulnerable version of Log4j: YES
Uses a protected JDK: YES (11.0.3)

Assessment: System not at risk


We will be issuing a patch that removes the vulnerable Log4j library in the next week.
Symphony Profiler - WD Cloud
(2.0.62)

Connected to the public Internet: NO
Uses a vulnerable version of Log4j: YES
Uses a protected JDK: YES (11.0.3)

Assessment: System not at risk


We will be applying a patch that removes the vulnerable Log4j library in the next two weeks.
Virtuoso, Virtuoso Embedded Search
Does not use Log4j at all; System not at risk
No action
AuditSync

Connected to the public Internet: NO
Uses a vulnerable version of Log4j: YES
Uses a protected JDK: YES (11.0.3)

Assessment: System not at risk


We will be issuing a patch that removes the vulnerable Log4j library in the next four weeks.
Attach Plus
Does not use Log4j at all; System not at risk
No action
BatesCL

Connected to the public Internet: NO
Uses a vulnerable version of Log4j: YES
Uses a protected JDK: YES (11.0.3)

Assessment: System not at risk


We will be issuing a patch that removes the vulnerable Log4j library in the next four weeks.
8.3 Filename Tool Does not use Log4j at all; System not at risk
No action


For any clients who receive Worldox support from Trumpet: Worldox has assured us that all of their products are safe from risk. Contact support@worldox.com or wdccsupport@worldox.com (cloud support) if you'd like more details. 


Resources
Original bug report/fix in log4j: https://issues.apache.org/jira/browse/LOG4J2-3201

Layman’s description of the vulnerability: https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

Technical description of the vulnerability: https://www.lunasec.io/docs/blog/log4j-zero-day/


This page was: Helpful | Not Helpful

© 2012 Trumpet, Inc., All Rights Reserved