Vulnerabilities CVE-2021-44228, CVE-2021-45046 et CVE-2021-4104

Villebon sur Yvette, 21 December 2021

Vigilance Communication

OBJECT :

CERT-FR alert regarding vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104Apache Log4J

BACKGROUND:

CERT-FR, Centre gouvernemental de veille, d’alerte et de réponse aux attaques informatiques, draws our attention to the critical vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104 affecting the Log4j logging library published by Apache.

“A vulnerability has been discovered in the Apache log4j logging library. This library is widely used in Java/J2EE application development projects as well as by vendors of Java/J2EE-based off-the-shelf software solutions.

This vulnerability allows an attacker to cause remote arbitrary code execution if they have the ability to submit data to an application that uses the log4j library to log the event. This attack can be performed without being authenticated, for example by leveraging an authentication page that logs authentication errors.”

Proofs of concept have already been published. This vulnerability is now being actively exploited.

IMPACT FOR ALCEA :

ALCEA’s supervision solution (ALWIN software – SA2 and SA3 CSPN automatons – MTE and MTE2 CSPN controllers for example) is not concerned by the security flaws in question, none of its products is affected since it does not use Apache technology.

PROCEDURES:

  • Towards the ANSSI :

ALCEA has informed the Agence Nationale de la Sécurité des Systèmes d’Information that the vulnerabilities in question have no impact on its certified and qualified products.

  • Towards its customers and internal staff:

ALCEA informs its customers and staff, through this communication, and makes them aware of the need to be vigilant regarding the environment in which ALWIN applications are installed. Indeed, this vulnerable Log4j library can be present in other software installed on the same PC as ALWIN and also in the operating systems or virtualised environments attached to it. It is strongly recommended that information be obtained from hosting providers and from the services that maintain the information system.

Your usual ALCEA contacts remain at your disposal for any questions.

FOR MORE INFORMATION:

The Technical Management

Other recent blog posts

Videoprotection, video surveillance, what’s the difference?

There is a distinction between video protection and video surveillance even though both terms refer to the same function: using video cameras to ensure the safety of goods, buildings and people.

     Wireless access control

The ALWIN security supervision solution integrates the latest generation of reading heads (wireless, OSS…) and allows mixing technologies according to the security level of the site.
Baromètre Fiducial - Sécurité des français

Security: French confidence at half-mast

Security: the perception of insecurity is growing and the confidence index has never been so low.