View updates on the Apache Log4j2 vulnerability

Introduction: This page provides the latest updates on the potential impact of the open-source Apache “Log4j2” vulnerability on DigitalEd products and services based on the findings of an ongoing investigation. DigitalEd is actively following the vulnerabilities in the Apache “Log4j2″ utility (CVE-2021-44228 and CVE-2021-45046).

Background: The Apache Log4j2 utility is a commonly used open-source library for application logging. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j2 version 2.15 or below to be compromised and allow an attacker to execute arbitrary code.

Updates

Actions taken by DigitalEd in relation to these vulnerabilities are listed below:

January 27, 2022

Product Name: Möbius 2022.0

Status: Product Update; no further action needed.

Additional information: Möbius has been updated to use log4j 2.17 for version 2022.0. Möbius 2022.0 will be released in February 2022 and upgrades will commence immediately.

December 22, 2021

Product Name: Möbius 2021.2, 2020.2.3, 2019.2

Status: Investigated; no action needed.

Additional information: TrustNCS has completed scans of Möbius 2021.2, 2020.2.3 and 2019.2 and hasn’t found any vulnerabilities.

December 21, 2021

Product Name: Möbius 2021.2

Status: Investigation completed.

Additional information: DigitalEd has contracted the company TrustNCS https://trustncs.com/, a leading cybersecurity solutions provider, to perform external security scans to validate the DigitalEd solution. DigitalEd will know the results of these tests on December 22, 2021. In addition, an investigation has started into patching Möbius 2021.2 to upgrade Log4j to version 2.17.

December 14, 2021

Product Name: Möbius 2020.1.1 and older

Status: No action needed.

Additional information: Older versions of Möbius use Log4j 1.x and aren’t affected by the CVE-2021-44228.

December 14, 2021

Product Name: Möbius Services, Pay Portal, Web Store, LTI Service, SAML Service, LDAP Service

Status: No action needed.

Additional information: These services don't use Log4j2 and aren’t impacted by the indentified CVE.

December 14, 2021

Product Name: Möbius 2021.2, 2021.1, 2021.0, 2020.2.3

Status: Mitigated; no further action needed.

Additional information: Möbius uses Log4j 2.13.3 and has limited exposure to the Log4j2 vulnerability. DigitalEd immediately rolled out the changes to include the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable. DigitalEd was able to validate that after the mitigation; tests could no longer recreate CVE-2021-44228.

December 9, 2021

Product Name: Möbius

Status: Reported

Additional information: Vulnerabilities were reported that could allow a system running Apache Log4j2 version 2.15 or below to be compromised and allow an attacker to execute arbitrary code.

 

Not what you were looking for? Try these: