Log4j2 Update

Möbius and the Apache Log4j2 Vulnerability

Introduction: This page provides the latest updates on the potential impact of the open-source Apache “Log4j2” vulnerability on DigitalEd products and services based on the findings of our ongoing investigation. We are actively following the vulnerabilities in the Apache “Log4j2" utility (CVE-2021-44228 and CVE-2021-45046).

Background: The Apache Log4j2 utility is a commonly used open source library for application logging. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j2 version 2.15 or below to be compromised and allow an attacker to execute arbitrary code.

Updates

  • January 27, 2022

    Product Name: Möbius 2022.0
    Status: Updated, no action needed.
    Additional Information: Möbius has been updated to use log4j 2.17 and version 2022.0 will be released in early Feb 2022 and upgrades will commence immediately.


  • December 22, 2021

    Product Name: Möbius 2021.2, 2020.2.3 and 2019.2
    Status: Investigated, no action needed.
    Additional Information: TrustNCS has completed scans of Möbius 2021.2, 2020.2.3 and 2019.2 and has not found any vulnerabilities.


  • December 21, 2021

    Product Name: Möbius 2021.2
    Status: Investigation Completed.
    Additional Information: DigitalEd has contracted the company TrustNCS a leading provider of cybersecurity solutions, to perform external security scans to validate our solution. We will know the results of these tests December 22, 2021. In addition, an investigation has started into creating a patch to our Möbius 2021.2 to upgrade Log4j to 2.17


  • Tuesday Dec 14, 2021

    Product Name: Möbius 2020.1.1 and older
    Status: No Action Needed
    Additional Information: Older versions of Möbius use Log4j 1.x and are not affected by the CVE-2021-44228


  • Tuesday Dec 14, 2021

    Product Name: Möbius Services, Pay Portal, Web Store, LTI Service, SAML Service, LDAP Service
    Status: No Action Needed
    Additional Information: These services do not use Log4j2 and are not impacted by the identified CVE.


  • Monday Dec 13, 2021

    Product Name: Möbius 2021.2, 2021.1, 2021.0, 2020.2.3
    Status: Mitigated, no further action needed.
    Additional Information: Möbius uses Log4j 2.13.3 and has limited exposure to the Log4j2 vulnerability. DigitalEd immediately rolled out the changes to include the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable. We were able to validate that after the mitigation our tests were no longer able to recreate CVE-2021-44228.


Are you a student?

Do you need help accessing Möbius?
Check out our support page or watch our video guides to help you access and explore the platform.

Student Support

Not a student?

Continue to DigitalEd.com