Apache log4j library vulnerability

CVE:

CVE-2021-44228

Publication Date:

2021-Dec-13

Severity:

Critical

Reference:

Status:

Confirmed

Overview

On December 9th, 2021, a vulnerability in certain versions of the Apache log4j library was disclosed. Products utilizing this library are susceptible to remote code execution vulnerability, where a remote attacker can leverage this vulnerability to gain full control of the impacted device. More details can be found at NIST.

Details

Since the discovery of this vulnerability, EnGenius Research Center has been closely monitoring this threat and how it may affect EnGenius products. Only few EnGenius cloud services use the log4j library, none of them use it in a way that makes them vulnerable to CVE-2021-44228. The conclusion of the investigation is that the products listed below under the Unaffected Products section are not vulnerable to CVE-2021-44228. If new information is discovered, this advisory will be updated.

Affected Products

  • ezWifiPlanner service

    Although ezWifiPlanner does not enable any JNDI and LDAP features that cause the vulnerability, we still upgraded relative log4j libraries to ensure the safety.

Unaffected Products

  • EnGenius Cloud

  • ezMaster

  • EnSky

  • EWS Access Points

  • EWS Ethernet Switchs

  • ECW Access Points

  • ECS Ethernet Switches

  • ENH Access Points

  • ENS Access Points

  • EnStation Access Points

  • EMR Routers

  • ESR Routers

  • All EnGenius Mobile Apps

PreviousSecurity AdvisoriesNextFragattack vulnerability

Last updated