Active scanning for Apache Log4j 2 vulnerability

[Rich Mckevitt]

Hi - I am running MIVB V9 alongside Micollab V9 and MICC v9.

Does this need to be addressed from a MItel POV?

https://www.ncsc.gov.uk/news/apache-log4j-vulnerability.

Cheers

Rich



Many thanks Richard

 

[techymitel]

Mitel have published an alert (AL405) on their knowledge base. They are assessing the impact of this CVE on their products.

They say they will provide an update as soon as possible.

 

[techymitel]

AL405 now points to a security advisory with more information:

[link ]

https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-21-0010

[/url]

 

[Rich Mckevitt]

Cheers - Signed up for the updates now as well

Many thanks Richard

 

[floppy1]

Hi

I have tried to update one but I am getting this any ideas ?

Thanks

[root@xxxxxxxx]# curl -s

https://downloads.mitel.io/security/security-log4j-MiCollab.sh

| bash
This is the repair script which patches vulnerability from Mitel Security Advisory 21-0010 on MiCollab servers
Backing up...
tar: Cowardly refusing to create an empty archive
Try `tar --help' or `tar --usage' for more information.
Backup failed.
[root@xxxxxxxx]#

 

[techymitel]

Are you on a release 9.0 to 9.4 MiCollab server?

If this line in the script doesn't find any files, there won't be anything to add to the backup archive and you would see this error.

find /var /opt /usr -name 'log4j-core*.jar' | xargs tar cvzf /root/security-log4j-MiCollab.backup.tgz

 

[floppy1]

Hi techymitel

My mistake I was trying on an MSL hosting MiVb ! Once on the correct MSL it worked fine.

Thanks

 

[meneerB]

Our provider used the same script on our MiCollab.
What wondered me, a file lookup did show several log4j 2.x files below 2.15/2.16/2.17


I used
cd /
find . -name "log4j"

 

[TLDuk]

log4j does not have to be upgraded to fix the issue, specifically, a configuration change for log4j 2.10.0 and higher is all that's required, this is what the script does.


If its not broke tweak it..