What are Log4J and CVE-2021-44228 / Log4Shell ?

Log4j is a Java logging library, it’s part of the Apache logging services and Apache License 2.0 which means that is free to use and therefore has become one of the most widely used logging libraries in the world for Java development.

CVE-2021-44228 / Log4Shell is a zero-day vulnerability in Log4j, the vulnerability takes advantage of Log4j allowing requests from arbitrary LDAP and JNDI servers and not checking the responses, allowing attackers to execute arbitrary Java code on a server or other computer, or leak sensitive information.

CVE-2021-44228 / Log4Shell is exploitable in Log4j versions higher or equal than 2.0.1 and lower or equal than 2.14.2 ( => 2.0.1 and  <= 2.14.2), the issue has been mitigated on versions 2.15 and higher (=> 2.15) and is not exploitable in log4j version 1.x since this version does not support LDAP and JNDI.

 

Are SecureJet, Celiveo 8 and Celiveo 8R Impacted ?

SecureJet 7, Celiveo 8 and Celiveo 8R are not impacted by CVE-2021-44228 / Log4Shell vulnerability.

 

Are there any Celiveo or Celiveo related components/modules that use Log4J and what’s the risk ?

Yes but there’s no exposure to this specific vulnerability.

Celiveo 8R Web Admin

Celiveo Web Admin 8R includes a Ricoh tool (RXOP) that it calls to install the Ricoh Printer Agent. RXOP uses Log4J version 1.2.17 and as such it is not impacted by the vulnerability.

Celiveo Ricoh Printer Agent

Celiveo Ricoh Printer Agent It uses Log4J version 1.2.17 and as such it is not impacted by the vulnerability.

Celiveo SAP Connector

Celiveo SAP Connector is a connector add-on for Celiveo 8 and Celiveo 8R, it is not distributed as part of the main product, it needs to be downloaded and installed on top of the existing Celiveo  / SAP installation, the SAP Connector uses Log4J version 1.2.17 and as such it is not impacted by the vulnerability.

 

CVE-2021-44228 / Log4Shell Reports

There’re some vulnerability identification software that is wrongly indicating that version 1.2.17 is impacted, which is not. The information about CVE-2021-44228 / Log4Shell and exploitable versions is available on the original exploit report at NVD - CVE-2021-44228 (nist.gov)