LogonBox and the recent Log4J vulnerability

Christopher Dakin

Log4Shell

CVE-2021-44228 describes a remote code execution vulnerability in Log4J 2.

We can confirm that LogonBox SSPR, LogonBox VPN, LogonBox Directory and Nervepoint Access Manager do not use Log4J version 2. These products all use an older version of Log4J, which are not affected by this widely reported vulnerability.

Issues with Log4J 1.2.17

The broad exposure of this recent vulnerability has also prompted customers to raise concerns regarding the Log4J version present in the software we currently distribute, Log4J version 1.2.17.

There have been reports that this version may also be vulnerable to CVE-2021-44228 and remote code execution when using the JMS Appender class.

Other reported vulnerabilities for Log4J are:

CVE 2020-9488 - relates to SMTP appender and man-in-the-middle attacks.

CVE 2019-17571 - relates to ServerSocket implementation, vulnerable to deserialization attacks.

We do not use any of these features in our products, so we are not susceptible to this vulnerability. Our support and development teams have worked this morning to scan several of our own live servers and no servers were found to be vulnerable. Customers do not need to take any further action.

For your peace of mind, we recommend scanning your server with the log4j-scan open-source tool that you can download from https://github.com/fullhunt/log4j-scan.

We expect to transition to the newer patched Log4J libraries with our LogonBox 2.4 release scheduled for release in Q1 2022. Please contact us to start planning your migration from Access Manager to LogonBox; for most usages the transition is free and part of your existing subscription.

Regards,
The LogonBox Team