Log4j2 (CVE-2021-44228) security update

Fabio Donatellis

LOG4J SECURITY ALERT UPDATE 17Dec2021

======================================

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. (read more https://logging.apache.org/log4j/2.x/security.html)

 

We have been alerted by Progress Software that the current version of ”HDP JDBC Verification Tool”, uses a vulnerable version of log4j.

The JDBC Verification Tool is shipped with “BOARD On-Premise Connector” and can be used to verify the compatibility of third party JDBC drivers with Progress Data Direct OPC. If you are using the Board On-premises data connector, we recommend that you don't use the JDBC Verification Tool. Note that the use of the Board On-premise Connector doesn't expose to any security risk.

 

Progress Software is aware of the current vulnerability of the JDBC Verification Tool which. As soon as this security update will be made available from Progress we will deploy the patch in all BOARD Cloud Data Centers, and therefore the new “On Premise Connector” package will be available for download. We will publish a further update as soon as available.

LOG4J SECURITY ALERT 14Dec2021

======================================

Board is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228).
We have conducted the necessary analyses to assess the exposure of our systems and services to this vulnerability and can confirm that none of our systems and for the avoidance of doubt none of the Board Cloud services are exposed to this security threat.
During the assessment we have identified that one service, the Board Cloud Connector (Hybrid Data Pipeline), uses Log4J but a version that is not affected by the vulnerability. 

We continue to closely monitor the evolution of the threat and are promptly adopting all security measures to safeguard our customers

Board Cloud Team