Apache Log4j Vulnerability Overview
Vulnerability in Apache Log4j (CVE-2021-44228) has been released. It is estimated that 1/3 of the world's servers will be affected (from WBS, 12/15).
In a system that outputs user input values and information to logs, there is a possibility of remote code execution if a malicious external user attacks the system.
Although we have taken countermeasures since 12/15, there are still reports from the IPA and others that additional measures are needed. We are working on the latest Log4j update and removing the root cause, the JndiLookup class, from the classpath.
Our products affected and our response
Chat&Messenger desktop, web app, mobile app
No impact (no use of the library, including past versions)
On-premise CAMserver
On-premise CAMserver with Start video serverThe case is applicable if you are a member of a group of companies that are
There was a dependency of the library on the video server for web conferencing, but the process of outputting user information to the log is not applicable. We have notified the system administrator and will support the upgrade of the system.
Chat&Messenger Cloud Server
There was a dependency on the corresponding library on our cloud web conferencing video server, but the process of outputting user information to the log is not applicable.
Updates have been reflected on the video server on 12/14.