Updated 7/13/2022
SafeConsole OnPrem and Cloud solutions were upgraded for the initial 0-day exploit (CVE-2021-44228) with the 5.9.3.92 release.
Since this patch Apache has released 2.16 and 2.17 updates to the log4j library. These vulnerabilities require a non-default configuration of the lo4j library involving thread context lookup patterns. This is not configured in SafeConsole 5.9.3.92. DataLocker's development and security teams have been following the log4j developments closely and will continue to evaluate any new vulnerabilities that are announced. With the 5.9.4 release of SafeConsole, the log4j library was brought fully up to date to 2.17.1.
During this time secondary mitigations have been applied to SafeConsole Cloud including updating the rules in our web application firewall. It is recommended that our OnPrem customers work with their teams to put in place their own secondary controls in their environment. Such controls could include limiting outbound network connections from the SafeConsole server. Other mitigations such as manually removing the jndiLookup class from the classpath can be done if required.
SafeConsole OnPrem - Update required to 5.9.3.92. This patches the log4j library to 2.15. To fully update the log4j library SafeConsole 5.9.4 is recommended.
- Release Notes
- Download and Instructions
- 5.9.3.92 download was made available at 5:00 pm CST on 12/10/2021
- 5.9.4 download was made available on 7/18/2022
SafeConsole Cloud - No action required by customers
- Web Application Firewall rules were in place on 12/10/2021 as a temporary mitigation
- All Cloud instances have been updated automatically to 5.9.3.92 as of Monday 12/13/2021 10:30 am CST
EMS OnPrem - Does not contain vulnerable packages identified by CVE-2021-44228
EMS Cloud - Does not contain vulnerable packages identified by CVE-2021-44228
Devices with 4.8.x and 6.x clients - Do not contain vulnerable packages identified by CVE-2021-44228
- This includes all devices made by DataLocker (DL4, K350, H300, H350, Sentry One, etc)
PortBlocker - Does not contain vulnerable packages identified by CVE-2021-44228
SafeCrypt - Does not contain vulnerable packages identified by CVE-2021-44228
If you have any questions, please contact support@datalocker.com.