Information on Log4j (updated 12.01.22)
Updates
- 12.01.22: The new setup 7.0.23 contains the new Log4j 2.17.1 patch which was published after we released the 7.0.19 version.
- 23.12.21: The new setup 7.0.19 contains the new Log4j 2.17 patch which was published after we released the 7.0.18 version.
Information
There are currently many reports in the press about the Log4j gap. Due to the numerous inquiries we have received about the Log4J issue, we would like to provide you with detailed information on this topic:
Which CamIQ versions and services are potentially affected?
- The unit Log4j is used in different modules/services from CamIQ 4.x on. Also older CamIQ 7.x versions are affected.
- For CamIQ 7.x corresponding patches are available in the download area of our website.
- The CamIQ web services operated by us (e.g. the CamIQ Connect Server for sending push messages or the CamIQ Backend) are secured
For older CamIQ versions, for which the support has already expired, we recommend to update to the current CamIQ version. More detailed information about supported operating systems and the support period can be found in the following document:
https://www.camiq.net/en/service-support/faq
If you need an update license to the current version CamIQ 7.x, you can use the following form to request an offer:
https://www.camiq.net/en/non-binding-update-offer
If an update to the latest CamIQ 7.x version is not possible for any reason (e.g. because the CamIQ system is still used on an older Windows version), we recommend following steps:
Deactivate the potentially endangered CamIQ services. According to our knowledge this concerns older versions of the CamIQ Middleware (CamIQ 4.x - 6.x), which serves as interface for the web client and the CamIQ App (iOS) and additionally some customer specific modules, which are not included in the standard setup.
Risk assessment
Exploiting the potential security gap of Log4j in conjunction with CamIQ is theoretically possible. However, our tests did not reveal any scenario in which user input is logged directly via Log4j. Since this is, to our knowledge, a mandatory prerequisite for exploiting the gap we currently assume that standard scenarios for attacks, such as those that occur on websites with forms for user input, do not apply to CamIQ. Update 23.12.21: Please make sure that all users with any administrator rights (the CamIQ Server as well as all modules especially the CamIQ Dispatcher) are configured with safe passwords.
In order to prevent the theoretically nevertheless existing attack potential in case of targeted attacks on CamIQ systems, we recommend independently of this an update to the latest CamIQ version as well as regular patches for the operating system in use.
The currently much discussed gap in Log4j shows again that an ongoing system maintenance is very important for products that are being used for many years.
For the maintenance of CamIQ systems we offer the CamIQ Software Maintenance Assurance (SMA). With the SMA the updates to the latest release are covered for the complete duration of the SMA (also beyond the warranty period). If you would like more information on this topic we would be happy to hear from you.