How to Assess and Mitigate the Log4j Vulnerability in EveryonePrint MobilePrint
Assessing Log4j Vulnerability Impact on EveryonePrint MobilePrint. Understanding and Addressing the Remote Code Execution (RCE) Threat.
Issue:
On December 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE). Because of the widespread use of Java and Log4j this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.
It is CVE-2021-44228 and affects version 2 of Log4j between versions 2.0-beta-9 and 2.14.1. It is patched in 2.15.0.
Resolution:
EveryonePrint MobilePrint uses Java-based software, but Log4j version 1. This version is not vulnerable to the CVE-2021-44228, however an upgrade to latest Log4j 2.x is being investigated.
Updated : As part of this vulnerability research, some people come to this alert regarding Log4J version 1: National Vulnerability Database (NIST), CVE-2019-17571
We have verified with our dev team, and their conclusion is that we don't use don't use the SocketServer class in Log4j 1.
Update from 21 December 2021: EveryonePrint MobilePrint also uses Java-based software, but Log4j version 1. This version is not vulnerable to the vulnerabilities identified in log4j versions 2.15-2.17 and does not require an upgrade.