HelpSystems Acquires Beyond Security to Continue Expansion of Cybersecurity Portfolio.   READ THE PRESS RELEASE
Beyond Security Blog

Apache Log4j2 Security Advisory

Beyond Security by HelpSystems is aware of a recently disclosed security issue related to the open-source Apache “Log4j2” utility (CVE-2021-44228). We have published this Security Advisory and have provided a scanner check for this vulnerability.

Beyond Security blog featured image cybersecurity isometric vectorBeyond Security by HelpSystems is aware of a recently disclosed security issue related to the open-source Apache “Log4j2” utility (CVE-2021-44228).

Log4j is a logging framework found in Java software. The flaw is tied to a failure by certain features in the Java Naming and Directory Interface (JNDI) which is used in configuration, log messages and parameters to protect against attacker controller LDAP servers and other endpoints. A remote attacker who can control log messages or log message parameters can run arbitrary code loaded from LDAP servers on any application that uses Log4j when message lookup is enabled.

The flaw affects all versions of Log4j from 2.0-beta9 to 2.14.1.

This flaw is actively being exploited.

We strongly encourage customers who manage environments containing Log4j2 to update to the latest version released by the Apache Foundation which addresses the issue available at: https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism.

If updating the software is not an option, the Foundation has also shared mitigation measures for versions of Log4j versions 2.10 and later to protect against the remote code execution via the vulnerability.

BeSECURE

Beyond Security uses Log4j in the beSECURE LSS scanners and beSECURE II scanner and management bundle.

Java is used by beSECURE LSS’s to schedule, run scans and send results back to the local or cloud management server.

An attacker would need access to the local or cloud LSS to inject the required payload.

Currently, Beyond Security is not aware of a means for a remote attacker to access the necessary resources to initiate an attack.

Affected cloud versions of the LSS have been patched.

Beyond Security has released a new LSS base image that does not include the JNDI class. New deployments of LSS and beSECUREII will not contain the vulnerable JNDI class.

Beyond Security is working on an update that will remove the JDNI class from existing LSS scanners as a means of adding additional precaution and protection – though there is no means of reaching the vulnerable code (as mentioned above).

The beSECURE UI is not affected. Beyond Security has provided a preliminary scanner check for this vuln on December 14, 2021 in LSS scanner build 1145.

Security Advisory – Log4j

BeSTORM

The beSTORM product is not written in Java and does not use the Log4j utility and is not affected by this flaw.

BeSOURCE

The beSOURCE Developer edition does not use the log4j utility.

The beSOURCE Enterprise edition uses log4j 1.2.x and is not directly affected by the current flaw.

If you have any questions about this flaw or need assistance updating your LSS, please contact Beyond Security Support.

–Beyond Security

Beyond Security

Beyond Security is a global leader in automated vulnerability assessment and compliance solutions – enabling businesses and governments to accurately assess and manage security weaknesses in their networks, applications, industrial systems and networked software at a fraction of the cost of human-based penetration testing.

Contact Us

Want to learn more? Fill out the form below and we'll be in touch shortly.

Marketing by
By clicking Submit, I agree to the use of my personal data in accordance with the Beyond Security Privacy Policy. Beyond Security will not sell, trade, lease, or rent your personal data to third parties.

Reviews