Jump to content

Security notice with log4j (Seeq versions R50 and newer are not vulnerable)


Teddy
 Share

Recommended Posts

  • Administrators

Since the reported vulnerability in log4j we have responded to several customer tickets and emails inquiring about the presence of log4j in Seeq. No recent version of Seeq (back to and including R50) either includes or uses log4j, therefore the issue does not apply to Seeq customers using recent versions of the software (your version of Seeq can be found in the lower left corner of the Seeq user interface).

Link to comment
Share on other sites

  • Teddy changed the title to Security notice with log4j (Seeq versions R50 and newer are not vulnerable)
  • Seeq Team

Frequently Asked Questions regarding the Log4Shell vulnerability and Seeq

Does Seeq or any of its constituent 3rd-party components use Log4J?

No. Seeq uses a library called Logback, which is not vulnerable to the high-criticality Log4Shell exploit (CVE-2021-44228). There is a related vulnerability (CVE-2021-42550) in Logback that the security community has deemed as medium criticality given that it requires access to logback's configuration file by the attacker, sign of an already compromised system. According to Seeq's 3rd Party Vulnerability assessment process, CVE-2021-42550 has been assessed as low criticality in the context of the Seeq system but the library will nonetheless be upgraded as part of an upcoming Seeq point release.

My virus scanner is flagging log4j-over-slf4j-1.7.7.jar as vulnerable. What's up with that?

Virus scanners, depending on their level of sophistication, may flag a file named cassandra/files/lib/log4j-over-slf4j-1.7.7.jar in the Seeq installation folder for Seeq versions R50 and older. This component does not suffer from the Log4Shell vulnerability, it is an adapter layer that is only used if Log4J is also used somewhere in the system. See http://slf4j.org/log4shell.html for more information.

The component was part of the Cassandra NoSQL database system, a sub-component of the overall Seeq system in versions R50 and earlier. Cassandra has been removed in R51 and later.

I see something called log4js and log4javascript in the webserver folder of the Seeq installation. What about that?

Those files are related to a Javascript library that performs a similar logging function as Log4j but does not contain the vulnerability. More information: https://github.com/log4js-node/log4js-node/issues/1105

Edited by Mark Derbecker
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...