Home → General Information :: General Support → News → Trumpet's Response to Log4j (aka LogJam) Exploit
2.1. Trumpet's Response to Log4j (aka LogJam) Exploit
On Friday 12/10/2021 at 8:00am PST, we became aware of a new exploit impacting servers across the Internet called LogJam (Vulnerability ID: CVE-2021-44228). The vulnerability itself is in a widely used logging library called Log4j, versions prior to 2.15.0.
What we know
The vulnerability is to inbound requests to software from the public Internet.
Java security patches issued earlier this year contain mitigations that prevent LogJam. Any system running Java with patch at or above 6u211, 7u201, 8u191, and 11.0.1 will not be vulnerable to LogJam.
Based on our evaluation of the threat, for this vulnerability to be an actual risk of being exploited, an application must meet ALL of the following criteria:
- be accessible from the public Internet
- use an affected version of the log4j library (anything prior to 2.15.0 is affected)
- Java must be at patch level below 6u211, 7u201, 8u191, and 11.0.1
What we are doing about it
This article is intended to provide you with our vulnerability assessment and corrective action plan of the impact of LogJam on Trumpet’s products. See table below. Rest assured that we are also evaluating our internal servers (and we recommend that you do as well!). We've provided links to technical details of this vulnerability at the end of this article for your reference.
Assessments are based on the latest production releases of each product. For maximum security, ensure you are running the latest versions of your Trumpet software.
| Application & Production Version #
| Vulnerability Assessment
| Corrective Action Status
|
|---|---|---|
| SignatureBridge
(Cloud based, you're on the latest!) | Connected to the public Internet: YES
Uses vulnerable version of Log4j: YES Uses protected JDK: YES (11.0.13) Assessment: System not at risk |
12/10/21 1:42pm PST Out of an abundance of caution, we pushed a patch to SignatureBridge that eliminates the vulnerable version of Log4j |
| Assemblage (to include Emailer Module, Auto Filer, Trumpet Publisher, PDF Splitter)
(2.3.61) |
Connected to the public Internet: NO
Assessment: System not at risk | We will be issuing a patch that removes the vulnerable Log4j library in the next two weeks.
|
| Symphony OCR - On Premise
(8.1.0) |
Connected to the public Internet: NO
Assessment: System not at risk | We will be issuing a patch that removes the vulnerable Log4j library in the next week.
|
| Symphony OCR - WD Cloud
(8.1.0) |
Connected to the public Internet: NO
Assessment: System not at risk | We will be applying a patch that removes the vulnerable Log4j library in the next two weeks.
|
| Symphony Profiler - On Premise
(2.0.62) |
Connected to the public Internet: NO
Assessment: System not at risk | We will be issuing a patch that removes the vulnerable Log4j library in the next week.
|
| Symphony Profiler - WD Cloud
(2.0.62) |
Connected to the public Internet: NO
Assessment: System not at risk | We will be applying a patch that removes the vulnerable Log4j library in the next two weeks.
|
| Virtuoso, Virtuoso Embedded Search
| Does not use Log4j at all; System not at risk
| No action
|
| AuditSync
|
Connected to the public Internet: NO
Assessment: System not at risk | We will be issuing a patch that removes the vulnerable Log4j library in the next four weeks.
|
| Attach Plus
| Does not use Log4j at all; System not at risk
| No action
|
| BatesCL
|
Connected to the public Internet: NO
Assessment: System not at risk | We will be issuing a patch that removes the vulnerable Log4j library in the next four weeks.
|
| 8.3 Filename Tool |
Does not use Log4j at all; System not at risk
|
No action
|
For any clients who receive Worldox support from Trumpet: Worldox has assured us that all of their products are safe from risk. Contact support@worldox.com or wdccsupport@worldox.com (cloud support) if you'd like more details.
Resources
Original bug report/fix in log4j: https://issues.apache.org/jira/browse/LOG4J2-3201
Layman’s description of the vulnerability: https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
Technical description of the vulnerability: https://www.lunasec.io/docs/blog/log4j-zero-day/