Windows One-X Portal Log4J Patch 4

[JoeNewton]

Hi Guys,

We have a customer on R11 with a Windows Server installation of One-X Portal. We have upgraded them to the latest R11 version, and run the Log4j patch, but when they do a search of the C drive for Log4j they still see version 2.12.1 in the One-X directory, which is one of the vulnerable versions. Do you know what this patch is designed to do? Should it have been upgraded to a none affected version (2.17.0 I believe), or have they mitigated the vulnerability in some other way?

I need to reassure the customer that the patch has resolved the vulnerability.

Thanks!

Joe

Joe Newton

 

[TheZCom]

Hello JoeNewton,

Refer to page 3 of the release notes of the patch zip file:

To close both vulnerabilities, as per the mitigation steps (Log4j – Apache Log4j Security Vulnerabilities ) provided by the Apache, JndiLookup class is removed from the log4j V2.12.1 libraries used in the applications.

Hope this info helps.

Z

 

[tlpeter]

And that is not enough, as there is a third vulnerability found. Avaya should provide an update to the 2.17 version of log4J.

BAZINGA!

I'm not insane, my mother had me tested!

 

[JoeNewton]

Thanks both. Does the new vulnerability have an affect even with JndiLookup removed? I thought it just extended the affected versions up to 2.16? Either way, hopefully that line from the release notes will satisfy the customer until a new patch is released.

Joe

Joe Newton

 

[derfloh]

From what I understood 2.17 fixes another issue. So changing the settings helps to fix the original issue but you have to update to 2.17 to be safe at all.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN