Updated January 3, 2022
What is Log4Shell (CVE-2021-44228)?
Log4Shell is a previously unknown vulnerability in the logging (Log4j) software used by many applications that use the Java programming language. Most notably, this software is used in the Apache webserver which can be found in many applications that use a web-based front end for web-based APIs.
It was first publicly disclosed on December 9, 2021, and is estimated to impact hundreds of millions of devices.
For More Information:
https://en.wikipedia.org/wiki/Log4Shell
Next Steps
Because of the severity and wide reach of this vulnerability, you need to make sure your security systems are not impacted. We’ve compiled a list of our most installed systems and the impact of Log4Shell below.
If you have an active maintenance contract and your system is vulnerable, we will be reaching out to schedule a support ticket for resolution. If you are not covered under a maintenance agreement or are unsure if your products are secure, please contact our service department.
Don’t know where to start?
Contact our Service Department today by email (service@adirondacksecurity.com) or call 518-452-0124 option 2
Manufacture | System Types | Impacted |
Lenel | Door Access Control, Video, and Visitor Management | Yes |
S2 | Access Control and Video | Yes |
Axis | Cameras and Video Management System | No |
Milestone | Video Management System | No |
Ava Aware | Cloud-Based Video Management System | No |
Exacq | Video Management System | No |
Hanwah/Samsung | Cameras and Video Management System | No |
Openpath | Cloud-Based Door Access Control | No |
Brivo | Cloud-Based Door Access Control | No |
EagleEye | Cloud-Based Video Management System | Yes |
AiPhone | Intercom System | No |
Ubiquiti | Point to Point Wireless, Switches, and Wireless Access Points | Yes |
Bosch | Cameras, Alarm Systems | Under Review |
Interlogix TruPortal | Door Acces Control | Under Review |
Lenel
Door Access Control, Video, and Visitor Management
Impacted Systems
- Lenel OnGuard software versions 8.0 (and 8.0 Update 1)
Resolution/Workaround
Statement from Lenel/S2
Our December 16, 2021 memo provided a temporary mitigation for OnGuard software versions 8.0 and 8.0 Update 1, which disabled the vulnerable Log4j code but also disabled the “OnGuard Reporting & Dashboards” functionality. As of Friday, December 17, 2021, a patch is now available for these OnGuard versions that updates the Log4j components to the latest version as of that date, providing a permanent fix for the known Log4j vulnerabilities.
S2
Access Control and Video
Impacted Systems
- NetBox version 5.4.3 and below
- NetBox Global software versions 3.0 and below
- VRx software versions 5.4.2 and below
- Elements Video Recorder version 2021-1209A and below.
- NetVR™ software versions 5.4.3 and below
Resolution/Workaround
Statement from Lenel/S2
The products listed above (other than OnGuard software versions 8.0 and 8.0 Update 1) do contain Log4j version 1.2.x, however, that Log4j tool is vulnerable only when configured to use JMSAppender (as explained in CVE-2021-4104 ), which is not the case in any of these Lenels2 products. Nonetheless, it is still our intention to provide updates for these products to eliminate the vulnerable version of Log4j.
Milestone
Video Management System
Not Impacted
https://supportcommunity.milestonesys.com/s/article/Log4J-vulnerability-faq?language=en_US
Axis
Cameras and Video Management System
Not Impacted
https://www.axis.com/support/product-security
Ava Aware
Cloud Based Video Management System Cameras
Not Impacted
Statement from Ava
Ava Aware: All Stable versions – NOT Impacted All Beta versions – NOT Impacted
Ava Cameras: All Stable versions – NOT Impacted All Beta versions – NOT Impacted
Ava Aware Mobile Apps (IOS + Android): All versions – NOT Impacted
Ava Cloud: NOT Impacted
Exacq
Video Management System
Not Impacted
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Hanwah/Samsung
Cameras and Video Management System
Not Impacted
Openpath
Cloud-Based Door Access System
Not Impacted
Brivo
Cloud-Based Door Access System
Not Impacted
Statement from Brivo
Brivo does not utilize Log4j for logging within our applications. Brivo’s engineering and
cybersecurity teams are currently analyzing all 3rd party integrations and external
dependencies with other systems to ensure that this vulnerability is not present anywhere
within the larger Brivo ecosystem.
EagleEye
Cloud-Based Video Management System
Fixes being delivered automatically:
https://www.een.com/blog/log4j-security-update/
AiPhone
Not Impacted
Ubiquiti
Point to Point Wireless Network and Wireless Access Points
Impacted Systems
- Ubiquiti Network Control
Resolution
Update the UniFi Network application to Version 6.5.54 or later.
Bosch
Under Review
Bosch will release updates here:
https://www.boschsecurity.com/xc/en/support/product-security/security-advisories.html
Interlogix TruPortal
Under Review
Leave A Comment