Log4j2 on 5.0.19

Mike_Tills · December 13, 2021, 12:45am

I have too have sent emails to support this weekend and also via the support contact forms. I would have to imagine they are aware of this issue. Anyone in IT has to be aware of it.

Rob_Nicholson · December 13, 2021, 12:47am

I’m on the latest version and I’ve run the tool:

PS C:\Windows\system32> S:\temp\log4j2-scan.exe "C:\Program Files\SimpleHelp"
scan error: invalid END header (bad central directory offset)
scan error: invalid END header (bad central directory offset)
scan error: invalid END header (bad central directory offset)

Scanned 507 directories and 8318 files
Found 0 vulnerable files
Completed in 2.34 seconds
PS C:\Windows\system32>

Peter_K_Knowles · December 13, 2021, 12:48am

One would think, wouldn’t one

Mike_Tills · December 13, 2021, 1:42am

As Evan mentioned further up this thread it the log4 stuff is baked into SH so I am wondering if tools like logpresso would pick up the vulnerabilities

strings /opt/SimpleHelp/lib/commons-logging.jar | grep -i log4j
org/apache/commons/logging/impl/Log4JCategoryLog.class
org/apache/commons/logging/impl/Log4JLogger.class
org/apache/commons/logging/impl/Log4jFactory.class
org/apache/commons/logging/impl/Log4JCategoryLog.classPK
org/apache/commons/logging/impl/Log4JLogger.classPK
org/apache/commons/logging/impl/Log4jFactory.classPK

Jayjayuk · December 13, 2021, 2:15am

I wonder about the software on end user machines.

Mark_Andrews · December 13, 2021, 2:18am

So… not ideal but i rely on SH at the moment.

I have setup firewall rules to only allow the IP addresses of our hosts and computers to access the server.

Not ideal, and a pain for dynamic IP users (home users). You just have to ask for their IP to allow list before supporting them if you need to.

Also theres nothing to say it cant be attacked from a users machine. Seems unlikely, but possible.

Hopefully my week wont be a nightmare as this is the only Java based product we use.

Hopefully SH will confirm or deny vulnerability and release a patch if needed soon.

Mark_Andrews · December 13, 2021, 2:38am

I presume you have no WAN ports pointed to it.

Mark_Andrews · December 13, 2021, 2:51am

Be careful btw, don’t lock yourself out.

Mike_Tills · December 13, 2021, 3:32am

So far the agent installed on user systems has not popped up in any scans from services like crowdstrike, huntress, sophos, etc. So I am really hoping the software is not vulnerable. It would be a nightmare.

Mike_E14 · December 13, 2021, 1:09pm

I just heard from support. See below

“SimpleHelp does not utilise Log4J so its not vulnerable to exploit (CVE-2021-44228). We do not expect any version of SimpleHelp to be affected in any way.”

Rob_Nicholson · December 13, 2021, 1:16pm

That’s a little bit of good news

Gregory_L_Ramey · December 13, 2021, 3:04pm

Thank you for all the communication, and especially for posting the confirmation that SH isn’t affected. Right after making this thread, my account was temporarily suspended, so I couldn’t reply to anyone. But I’ve been following the discussion all weekend, Thanks, all.

Travis_Bartlett · December 14, 2021, 4:16pm

Just to clarify - those are the apache commons logging interfaces to log4j. Not log4j itself. SH has posted a new thread on this topic and have confirmed that the product is not susceptible to (CVE-2021-44228) - Log4J Vulnerability (CVE-2021-44228) and SimpleHelp