Administrators Teddy Posted December 14, 2021 Administrators Share Posted December 14, 2021 Since the reported vulnerability in log4j we have responded to several customer tickets and emails inquiring about the presence of log4j in Seeq. No recent version of Seeq (back to and including R50) either includes or uses log4j, therefore the issue does not apply to Seeq customers using recent versions of the software (your version of Seeq can be found in the lower left corner of the Seeq user interface). Link to comment Share on other sites More sharing options...
Seeq Team Mark Derbecker Posted December 18, 2021 Seeq Team Share Posted December 18, 2021 (edited) Frequently Asked Questions regarding the Log4Shell vulnerability and Seeq Does Seeq or any of its constituent 3rd-party components use Log4J? No. Seeq uses a library called Logback, which is not vulnerable to the high-criticality Log4Shell exploit (CVE-2021-44228). There is a related vulnerability (CVE-2021-42550) in Logback that the security community has deemed as medium criticality given that it requires access to logback's configuration file by the attacker, sign of an already compromised system. According to Seeq's 3rd Party Vulnerability assessment process, CVE-2021-42550 has been assessed as low criticality in the context of the Seeq system but the library will nonetheless be upgraded as part of an upcoming Seeq point release. My virus scanner is flagging log4j-over-slf4j-1.7.7.jar as vulnerable. What's up with that? Virus scanners, depending on their level of sophistication, may flag a file named cassandra/files/lib/log4j-over-slf4j-1.7.7.jar in the Seeq installation folder for Seeq versions R50 and older. This component does not suffer from the Log4Shell vulnerability, it is an adapter layer that is only used if Log4J is also used somewhere in the system. See http://slf4j.org/log4shell.html for more information. The component was part of the Cassandra NoSQL database system, a sub-component of the overall Seeq system in versions R50 and earlier. Cassandra has been removed in R51 and later. I see something called log4js and log4javascript in the webserver folder of the Seeq installation. What about that? Those files are related to a Javascript library that performs a similar logging function as Log4j but does not contain the vulnerability. More information: https://github.com/log4js-node/log4js-node/issues/1105 Edited December 20, 2021 by Mark Derbecker Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now