Update January 4, 2022:
We are aware of the announced moderate security risk with Log4j version 2.17.
Xinet was recently updated to 2.17.0 (click here to access the release). We plan to update Xinet to the latest version (presently 2.17.1) with the next planned release of the product.
In the meantime, customers can mitigate this risk by following the procedures mentioned below in the December 27th update.
Update December 27, 2021:
For customers not prepared to update to the current version of Xinet, there are two options that we believe mitigate the security risk. Our engineering team has verified both options.
The first option is to remove the JndiLookup class from the classpath (example: zip -q -d -log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). The process is described here in more detail.
The second option is disabling Solr, i.e., removing /usr/etc/venture/solr. This mitigates the vulnerability by eliminating the only vulnerable JAR file — log4j-core-*.jar. After removal, you can confirm the JAR doesn't exist via the command: "find / -name log4j-core*.jar".
Update December 23, 2021: The 2021.8 version of Xinet is now available that leverages the 2.17 version of Log4j, which removed the identified vulnerable functionality.
We are encouraging all customers to upgrade to this latest version as soon as possible. Here is the link to access the release artifacts.
Update December 22, 2021: A previous version of this page referenced upgrading to Log4j version 2.16. Per the most recent guidance (CVE-2021-45105), we will now upgrade to Log4j version 2.17 instead.
A new 0-day vulnerability, formally known as CVE-2021-44228, was published on the NIST National Vulnerability Database on Friday and was followed by this NIST entry on December 14th. The vulnerability is found in the Log4j Java library.
Log4j is a popular open-source logging library made by the Apache Software Foundation. The security vulnerability found in Log4j allows hackers to execute remote commands on a target system. The severity of the vulnerability is classified as “Critical” by NIST.
Our investigations show that Xinet makes use of a vulnerable version of Log4j. IgniteTech is currently implementing a patch to upgrade Log4j.
Within the next few days, IgniteTech is planning to release this patched version of Xinet that leverages Log4j version 2.16. The 2.16 version of Log4j has no known/published security vulnerabilities at this time.
This page will be updated when the patch is available.