Apache Log4j library vulnerability

A zero-day exploit was recently identified within the Apache Log4j logging library. This issue, CVE-2021-44228, has been flagged as critical.

STATUS: December 21

Incident closed.

Follow-up from Sofico's side: 

  • Deploy the latest stable version of Log4j (2.17.0) to every module and layer in Miles Core. 
  • Conduct a lessons learned with feedback from customers, account managers and the incident reponse team members and update internal processes as needed.

STATUS: December 19

All Sofico customers received an emergency patch.

STATUS: December 18

A new vunerability had been identified in Log4j 2.16.0: CVE-2021-45105.

Sofico's emergency patches mitigate against all three currently identified vulnearabilities. The workaround mentioned below for Miles 2021.1 and higher does not offer protection from this new vulnerability. We advise all customers to apply our emergency patches to all their Miles environments. 

STATUS: December 17

Log4j 2.16.0 has been released, disabling the capability of remote code execution by default. We are in the process of reviewing all components using Log4j2 for update.

STATUS: December 15

A new vulnerability has been identified in Log4j 2.15.0: CVE-2021-45046.

Sofico's emergency patches mitigate against both the original vulnearability and this new issue. The workaround mentioned below for Miles 2021.1 and higher does not offer protection from this new vulnerability. We advise all customers to apply our emergency patches to all their Miles environments. 

We are in the process of distributing emergency patches to all our customers. 
Before we can finalize these emergency patches, we need customers to confirm which Miles patches they currently have in use on their various Miles environments. 

Contact your Sofico account manager or infosec@sofico.be to arrange delivery of your emergency patches. 

STATUS: December 13

Based on our initial assessment, this issue seems to affect Miles Core but we cannot exclude the possibility that Miles Core can be impacted via MilesWeb.

Due to the severe nature of this issue, we recommend all customers to err on the side of caution and temporarily take MilesWeb offline.

Sofico is currently (December 13th) preparing emergency patches for each of our customers.
An emergency patch will be needed for all your environments (production, mirror, development, training, etc.)

Before we can finalize these emergency patches, we need customers to confirm which Miles patches they currently have in use on their various Miles environments. 

Please contact your Sofico account manager as soon as possible and confirm your current Miles patches to them.

NOTE:
If you are on Miles 2021.1 or higher, you can implement the following workaround until your emergency patches are delivered to you:

  • Workaround 1
    Via WebSphere: add log4j2.formatMsgNoLookups=true to generic options.
  • Workaround 2
    WebLogic and JBoss add -Dlog4j2.formatMsgNoLookups=true to the startup script.

For Sofico-hosted customers: Sofico will make contact to coordinate the deployment of the emergency patches to your environments. 


Our infosec team is currently contacting all customers to share the above information with them. 



Continuous product innovation helps you to stay competitive in an evolving market.

Local offices and local partnerships to serve our customers in over 20 countries.

30 years of Sofico expertise: both broad and deep understanding of business and technical topics.

80+ successful implementations through an optimised project approach.

Contact

Technologiepark 84
B-9052 Zwijnaarde
Belgium
+32 9 210 80 40
contact@sofico.global