Official information on log4j security vulnerability

Mathias · December 13, 2021, 7:05am

Hi,

we inform you about the log4j security vulnerability:

pascom 19 and parts of pascom 20 are affected by the problem, even if the “usual” script attacks cannot be applied to our systems.

We have known about the issue since Friday morning. We are working on a patch for pascom 19 and will keep everyone updated in this thread. Our cloud systems are updated automatically.

LG
Mathias Pasquay

Mathias · December 13, 2021, 10:00am

Interim report:

For version 19.17 and higher, we are not attackable with the main exploit via LDAP because we ship the latest Java bug fixes with this version. In addition, only the XMPP server is affected and not e.g. the web server. So a handcrafted attack would have to be done directly with our protocols.

This means that the attacks currently circulating on the Internet all fail currently.

Recommended action for on-site systems: We currently see no urgent need to take the systems offline. A corresponding bugfix release will be available during the afternoon.

Recommended action for cloud users: No user action is required here. Our systems have been monitored since the weekend. The security vulnerabilities will be completely closed with an update tonight.

We will inform all on-site customers as soon as the bug fix is available.

Mathias · December 13, 2021, 3:53pm

The pascom Server Version 19.20 with log4j patches is now available: https://download.pascom.net/release-archive/server/7.19.20/pascom_7.19.20.R.iso

the_muck · December 14, 2021, 11:36am

https://www.heise.de/news/Log4j-2-16-0-verbessert-Schutz-vor-Log4Shell-Luecke-6294053.html

Welche Version habt ihr denn eingebaut?

Mathias · December 14, 2021, 3:05pm

Wir haben das problematische Feature generell deaktiviert und nicht nur die Version angehoben.

psacco · December 16, 2021, 1:41pm

Hi Mathias,
we have installed Pascom version 17 on our server.
With a test I have noticed that we are vulnerable to LOG4J.
Can we solve? Is there any update?

Best regards,
Paolo

rapha · December 16, 2021, 2:57pm

Hi @psacco

Log4perl should not be vulnerable against CVE-2021-44228 (MITRE) as stated here (IT Security News) and here (borncity).

Best regards,
Raphael

Mathias · December 16, 2021, 3:42pm

Hello @psacco,

pascom 17 is EOL. Please update to https://download.pascom.net/release-archive/server/7.19.20/pascom_7.19.20.R.iso

Cheers,
Mathias

psacco · February 28, 2022, 2:47pm

Hi Mathias,
we need to receive support regarding the update could you help us?

Best regards,
Paolo

Mathias · February 28, 2022, 3:10pm

Hello Paolo,

if you have a PREMIUM Subscription you can contact your support team directly. You can find all the details via my.pascom.net in your Subscription Details.

If you are a FREE or BASIC user, please consult the forum for help.

Regards,
Mathias

psacco · February 28, 2022, 4:00pm

Hi Mathias,
the colleague who had the access data no longer works in our company.
how can we recover them?

Regards,
Paolo

Andi · March 2, 2022, 1:48pm

Hi @psacco,

please use for support requests our mypascom Portal and open a new support Ticket. In our system you are registered as Portal admin with your email address. if you have forgotten your mypascom Portal password, simply restore it.

Regards,
Andi