Versasec Explains Log4j 2 Library Vulnerability
Author: Anders Adolfsson, Product Manager
Previous << PKI and Credential Management Cloud Migration
Limited Versasec customers potentially exposed through a third-party SDK used between vSEC:CMS and the UniCERT PKI.
If you’ve not yet heard, there is now a known remote code execution vulnerability in log4j 2 that could impact a very small subset of Versasec customers.
The remote code execution vulnerability (CVE-2021=44228) affects multiple versions of the Apache Log4j 2 library. The risk is that systems using log4j 2.0 – 2.14 could allow an attacker with network access to instruct affected systems to download and execute a malicious payload by submitting a custom-crafted request.
The Versasec technical team has identified one library where log4j 2 is used within or in connection with our vSEC:CMS product suite. It is the third-party SDK used between vSEC:CMS and the UniCERT PKI. Customers using UniCERT are asked to reach out to their Versasec contact.
Our customers who are not using the UniCERT PKI with vSEC:CMS are not impacted by this vulnerability.
We keep staying on top of this issue and will provide any updates as we learn more.