• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Apache log4j Remote Code Execution Zero Day - Active Exploit
#1
A remote-code execution vulnerability has been found in the Apache log4j logging library. 

This library is widely used in java applications and is used within the Rapide runtime. 

Rapide has been updated to include the latest 2.15.0 version of log4j and this is included in the following updated releases of the software which are now available to download:

  • Rapide 3.0.2
  • GuardIEn web client 8.8.0 (updated to show 8.8.0a in the home page)
  • GuardIEn web client 8.7.5 (updated to show 8.7.5 in the home page)

Other platforms for example Windows clients or server software are not affected.

if you are using an earlier release of Rapide or the GuardIEn web client then it is highly recommended that you upgrade.
--
Darius Panahy, IET Ltd
  Reply
#2
Further to the above posting, Rapide versions 2.0.2 and 3.0.3 are now available which update the log4j version to 2.16.0.

The GuardIEn web clients for 8.7.5 and 8.8.0 have also been updated to use log4j 2.16.0
--
Darius Panahy, IET Ltd
  Reply
#3
Another version of the Apache log4j library has been released - version 2.17.0.

The following products have been updated to include 2.17.0:

  • Rapide 2.0.3
  • Rapide 3.0.4
  • GuardIEn Web Client 8.7.5
  • GuardIEn Web Client 8.8.0
  • Studio Developer 8.7.5.0001
  • Studio Developer 8.8.0.0001
--
Darius Panahy, IET Ltd
  Reply
#4
We have analysed the Rapide runtime and the usage of log4j by third party utilities and have concluded that log4j is not required by Rapide. Therefore, to remove the need for further updates in the event that additional vulnerabilities are encountered and fixed in log4j, we have removed it from Rapide in version 3.0.5. This means that the following releases no longer use log4j:

  • Rapide 3.0.5
  • GuardIEn Web Client (8.7.5 and 8.8.0)
  • Studio Developer (8.7.5.0001 and 8.8.0.0001)


Rapide 2.0 still contains (but does not use) log4j and is patched to version 2.17.0.
--
Darius Panahy, IET Ltd
  Reply
#5
(2021-12-20, 06:28 PM)Darius Panahy Wrote: We have analysed the Rapide runtime and the usage of log4j by third party utilities and have concluded that log4j is not required by Rapide. Therefore, to remove the need for further updates in the event that additional vulnerabilities are encountered and fixed in log4j, we have removed it from Rapide in version 3.0.5. This means that the following releases no longer use log4j:

  • Rapide 3.0.5
  • GuardIEn Web Client (8.7.5 and 8.8.0)
  • Studio Developer (8.7.5.0001 and 8.8.0.0001)


Rapide 2.0 still contains (but does not use) log4j and is patched to version 2.17.0.
Do I understand correctly that it is safe to remove file log4j-1.2.15.jar from C:\Program Files\IET\Client880\Studio\rapide\uk.co.iet.rapide.win32_3.0.0_lib after installing the DevOps Suite? We do not have a license for Rapide, so it's never used.
  Reply
#6
(2021-12-24, 09:02 AM)m.b Wrote:
(2021-12-20, 06:28 PM)Darius Panahy Wrote: We have analysed the Rapide runtime and the usage of log4j by third party utilities and have concluded that log4j is not required by Rapide. Therefore, to remove the need for further updates in the event that additional vulnerabilities are encountered and fixed in log4j, we have removed it from Rapide in version 3.0.5. This means that the following releases no longer use log4j:

  • Rapide 3.0.5
  • GuardIEn Web Client (8.7.5 and 8.8.0)
  • Studio Developer (8.7.5.0001 and 8.8.0.0001)


Rapide 2.0 still contains (but does not use) log4j and is patched to version 2.17.0.
Do I understand correctly that it is safe to remove file log4j-1.2.15.jar from C:\Program Files\IET\Client880\Studio\rapide\uk.co.iet.rapide.win32_3.0.0_lib after installing the DevOps Suite? We do not have a license for Rapide, so it's never used.
Yes, it can be removed.
--
Darius Panahy, IET Ltd
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)

   Visit the IET Web Site for product information and contact details and privacy policy. Visit the IET Support Centre for product support and downloads.