Publish Date: December 10, 2021
Fischer is committed to providing our clients with the highest quality, reliability, and security in our services. As a reflection of our commitment, our internal security experts and development team have assessed the latest Apache Log4j2 vulnerability (CVE-2021-44228) bulletin released Friday, December 10th 2021 to determine the impact and risk of exposure to the Fischer product and our clients.
While the Fischer product does use the Log4j, it does not utilize the Log4j2 JNDI features and/or libraries and is not exposed to the vulnerability. We do have plans to upgrade to the latest version of Log4j2 (=>2.15.0) and an active development effort is underway to upgrade in a future release.
More information regarding this vulnerability can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Updated Date: December 14, 2021
Fischer strives to provide our clients with the highest quality, reliability, and security in our services and product. In addition to last week's statement referencing the Log4j2 vulnerability (CVE-2021-44228) bulletin released Friday, December 10th, 2021, we reviewed the latest (CVE-2021-45046) vulnerability and it doesn't affect the Fischer products and services.
We are adding some technical context as a reassurance to our statement. The exploit is with JMSAppender.class when log4j has JNDI enabled in the configuration. Our product codebase doesn't use the JMSAppender.class, and our configuration doesn't enable the JNDI lookups. In addition to the class, the attacker needs access to the configuration of log4j to enable JNDI lookups, but our product doesn't use file-based configurations; it's all done programmatically.
Update:
On January 12. 2022 Fischer released version 7.7.4 that upgraded the log4j dependency to the latest version of log4j2 (2.17.1).