Log4j Vulnerability (Log4Shell): Important Information You Should Know
Summary
Last updated: Wednesday January 12, 2022 @ 4:00pm ET
The recently revealed Log4j vulnerabilities are not exploitable in SOTI products.
Vulnerabilities in Apache’s Log4j library have been actively investigated by SOTI’s Security & Compliance Team since Friday, December 10, 2021. Since the initial vulnerability (CVE-2021-44228) was published, additional CVEs (CVE-2021-44228) was published, additional CVEs (CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) have been registered against successive Log4j updates.
Our investigations have determined that there is no path to exploit any of these vulnerabilities in any SOTI product.
Recommended action
SOTI recommends that customers upgrade to SOTI MobiControl 15.5.0 which includes the latest version of the Log4j library 2.17.1. Version 15.5.0 is expected January 31, 2022. Although SOTI products cannot be exploited by this vulnerability, updating the Log4j library to 2.17.1 will eliminate concern caused by false positives when scanners detect an older version of Log4j.
In addition to remediating the highly publicized Log4j issues, upgrading to the latest release of SOTI MobiControl is best practice, ensuring that you receive all the most current bug fixes and security patches.
Impacted versions
SOTI makes indirect use of the Log4j library through a software component, Elasticsearch.
- SOTI MobiControl 14.0 – 14.2
- Uses a version of Elasticsearch that does not contain an affected version of Log4j
- SOTI MobiControl 14.3 – 15.4.1
- Includes the affected version of Log4j library
- SOTI MobiControl 15.4.2
- Includes a modified Log4j 2.11.1 that removes the problematic code, but may still result in false positives when running vulnerability scans
Mitigation for on-premise instances to upgrade Log4j to 2.17.1
On-premise customers that are unwilling to wait for SOTI MobiControl 15.5.0 can update the Log4j library following the steps below.
- Download log4j 2.17.1 from the following source and unzip it:
https://downloads.soti.net/Tools/apache-log4j-2.17.1-bin.zip
- Stop the MobiControl Search service either from “Task Manager” or “Windows Services” or using MobiControl Admin Utility (MCAU)
- Backup the original files below located at <MobiControl Installation Folder>\search\lib (for example, C:\Program Files\SOTI\MobiControl\Search\lib) to a different folder or server
- log4j-1.2-api-2.11.1.jar (present in MobiControl 14.3 – 15.3.3, this unused file was removed in MobiControl 15.4 and above)
- log4-api-2.11.1.jar
- log4j-core-2.11.1.jar
- Replace with the new files below under the following path <MobiControl Installation Folder>\search\lib
- log4j-api-2.17.1.jar
- log4j-core-2.17.1.jar
- Start the MobiControl Search Service
Important Note: You need to follow the steps above for all installed Management Servers.
SOTI Cloud
As a safeguarding measure, SOTI has proactively removed the problematic code from all our Cloud instances, except for customers with specific change management requirements.
Once again, please note that SOTI products are not affected by this vulnerability, the above steps are offered out of an abundance of caution.
For any inquiries regarding this matter, please do not hesitate to contact us at: support@soti.net
Was this helpful?
Thanks for your feedback