Several critical Log4j vulnerabilities have been announced by Apache. What follows is a status of the impact of those vulnerabilities within our products and services. The information is drawn from partner websites and ongoing conversations with those vendors. We are constantly monitoring this situation and will keep this information updated periodically. If you have a question about a specific product, whether it is listed in the attachment or not, please contact your service delivery manager, account representative, or contact support.
What is Log4j?
Log4j is a software library, published and maintained by the Apache Foundation, which is used as a component logging framework inside other IT products and software.
What are the vulnerabilities?
There are four vulnerabilities detailed here: https://logging.apache.org/log4j/2.x/security.html?s=09
- CVE-2021-44228 – CVSS Base 10.0
- CVE-2021-45046 – CVSS Base 9.0
- CVE-2021-45105 – CVSS Base 5.9
- CVE-2021-44832 – CVSS Base 6.6
Thousands of commercial and open-source IT products are affected by these vulnerabilities. More information, including lists of affected products, and guidance on how to mitigate the vulnerability and detect exploitation, are available from the US Cybersecurity & Infrastructure Agency (CISA) at https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance. Additional resources:
CISA’s list of affected software: https://github.com/cisagov/log4j-affected-db
NCSC’s list of affected software: https://github.com/NCSC-NL/log4shell/tree/main/software
CIS’ flowchart on this advisory: https://www.cisecurity.org/log4j-zero-day-vulnerability-response/
Which OnX products are vulnerable?
OnX has undertaken an initial review of our products and services and is mitigating vulnerabilities as remediations become available.
If you have a question about a specific product, whether it is listed in the attachment or not, please contact your service delivery manager, account representative, or contact support.
What should I do if I have additional questions?
Please contact your service delivery manager, account representative, or contact support.
If you need additional help within your IT environment, our security experts are here to help assist in any way necessary. Please visit https://www.onx.ca/security/ to request support.