Villebon sur Yvette, 21 December 2021
CERT-FR alert regarding vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104Apache Log4J
CERT-FR, Centre gouvernemental de veille, d’alerte et de réponse aux attaques informatiques, draws our attention to the critical vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104 affecting the Log4j logging library published by Apache.
“A vulnerability has been discovered in the Apache log4j logging library. This library is widely used in Java/J2EE application development projects as well as by vendors of Java/J2EE-based off-the-shelf software solutions.
This vulnerability allows an attacker to cause remote arbitrary code execution if they have the ability to submit data to an application that uses the log4j library to log the event. This attack can be performed without being authenticated, for example by leveraging an authentication page that logs authentication errors.”
Proofs of concept have already been published. This vulnerability is now being actively exploited.
IMPACT FOR ALCEA :
ALCEA’s supervision solution (ALWIN software – SA2 and SA3 CSPN automatons – MTE and MTE2 CSPN controllers for example) is not concerned by the security flaws in question, none of its products is affected since it does not use Apache technology.
- Towards the ANSSI :
ALCEA has informed the Agence Nationale de la Sécurité des Systèmes d’Information that the vulnerabilities in question have no impact on its certified and qualified products.
- Towards its customers and internal staff:
ALCEA informs its customers and staff, through this communication, and makes them aware of the need to be vigilant regarding the environment in which ALWIN applications are installed. Indeed, this vulnerable Log4j library can be present in other software installed on the same PC as ALWIN and also in the operating systems or virtualised environments attached to it. It is strongly recommended that information be obtained from hosting providers and from the services that maintain the information system.
Your usual ALCEA contacts remain at your disposal for any questions.
FOR MORE INFORMATION:
- CERT : https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/
- Apache : Apache Log4j Security Vulnerabilities
The Technical Management