On Friday 10th December, Apache announced a critical vulnerability within the LOG4J logging library for Java, called Log4Shell or LogJam.

This is one of the most serious vulnerabilities to have been discovered in recent times due to the widespread use of Log4J on both Linux and Windows systems either directly, or often as a requirement of another package or system.

In the main, Log4J is not included on systems deployed and supported by Charterhouse, but if you are unsure please get in touch with our Service Desk. 

We have been working with our partners to establish which systems are affected by this vulnerability and applying the corrective actions to ensure your environments are protected and below are brief summaries with links to additional information:

  • Extreme

    Only affecting the IQVA product range and on-going investigation into ExtremeGuest and 200-Series devices.

    Further information can be found here>>

  • Cirrus
The Cirrus Compliance and Security team have been actively evaluating the Log4J Java library remote code execution (RCE) vulnerability CVE-2021-44228, also known as Log4J Shell security vulnerability. Though evaluation is ongoing, to date we can confirm that we do not have any systems that are open to this vulnerability. We continue to monitor for automated botnet attacks, scanning and signs of exploitation.
  • Mitel

Mitel are still investigating all of their portfolio but have confirmed the core Mitel 3300 MCD and MBG servers along with Mitel 250 are not affected and the only impacted system currently is MiCollab version 8.0 and above which we are currently working on getting patched.

Further information can be found here>>

  • ATOS Unify

ATOS have confirmed that the OpenScape Business suite of applications is not impacted by this vulnerability.

Further information can be found here>>

  • Avaya

This issue does not affect IP Office Basic Edition, Preferred Edition, Branch deployments or IP Office Powered By Containers and only affects Server Editions and Application servers running on version 11.04 and 11.1 as well as SBC’s on version 8 and above.

Details for other Avaya products can be found here>>

A patch was provided on 17th December 2021 to remediate all affected releases which we have deployed to the vast majority of our affected customers.

  • Redbox Call Recording

Redbox have confirmed their systems are not affected by this vulnerability.

"Red Box can confirm that Apache Log4j2 is not deployed within its Quantify product range and therefore not impacted by this vulnerability. This includes both software and Red Box supplied physical servers."

  • Sophos UTM

Sophos have confirmed Not affecting firewalls or end-point protection that Charterhouse deploy and support.

Further information can be found here>> 

  • Ribbon Session Border Controllers

Ribbon have confirmed all of their systems which we deploy and support are not affected by this vulnerability.

  • 8x8
Only affecting Contact Centre environments which required a restart and minimal downtime between 10pm and 6am on the 15th and 16th December.
  • Gamma

"On Friday 10th December, Gamma's security and technical teams began a process of assessing systems and vendors to identify any services vulnerable to Log4Shell.

A number of services were identified and action was taken on Friday 10th and Saturday 11th to fully mitigate or patch internet facing services. Other internally facing systems had protection controls assessed and remediation plans are being put in place at present.

Additionally, Gamma's devices are continuously monitored and actions have been taken to check for indicators of compromise (IOCs) relating to this vulnerability. No evidence of compromise or unauthorised access to data was found.

We continue to work with our software vendors to ensure that both Gamma-hosted and third-party services are protected."

  • Silverpeak

Details can be found here>>


Apache HTTP Server

VULNERABILITY:
Carefully crafted request targeting the mod_lua multipart parser – risk of Buffer Overflow.

DESCRIPTION/IMPACT:
While the Apache foundation has not yet identified an active exploit that targets this vulnerability, they have advised that it may be possible to craft one. The potential exploit affects Apache HTTP Server versions 2.4.51 and lower and carries a risk rating of 9.8 (critical) with the impact of successful exploitation leading to a Buffer Overflow.

MITIGATION:
Upgrade to Apache HTTP Server version 2.4.52.

Servers not using updated upstream repositories disable mod_lua (if not required) by performing the following steps:

Locate Lua configuration file (typically found in /etc/conf or /etc/httpd directories).
Remove or comment out the line responsible for loading the Lua module
Restart the httpd service
Run httpd -M to verify the Lua module is no longer loaded


Further information can be found here:

Summary:
This update comes with a Critical CVSS score of 9.8 – it is highly recommended that our customers patch to 2.4.52 immediately to mitigate the risk on their Apache HTTP Server or disable the mod_lua as described above if you are not using current and updated upstream repositories as no backported fix has been released at the time of this update.

We are closely monitoring the situation and any further updates will be regularly added , so please bookmark this page. 

To speak to the Charterhouse support team, please click here>>