Updated January 3, 2022

What is Log4Shell (CVE-2021-44228)?

Log4Shell is a previously unknown vulnerability in the logging (Log4j) software used by many applications that use the Java programming language. Most notably, this software is used in the Apache webserver which can be found in many applications that use a web-based front end for web-based APIs.

It was first publicly disclosed on December 9, 2021, and is estimated to impact hundreds of millions of devices.

For More Information:

https://en.wikipedia.org/wiki/Log4Shell

Next Steps

Because of the severity and wide reach of this vulnerability, you need to make sure your security systems are not impacted. We’ve compiled a list of our most installed systems and the impact of Log4Shell below.

If you have an active maintenance contract and your system is vulnerable, we will be reaching out to schedule a support ticket for resolution. If you are not covered under a maintenance agreement or are unsure if your products are secure, please contact our service department.

Don’t know where to start?

Contact our Service Department today by email (service@adirondacksecurity.com)  or call 518-452-0124 option 2

Contact Service
ManufactureSystem TypesImpacted
LenelDoor Access Control, Video, and Visitor ManagementYes
S2Access Control and VideoYes
AxisCameras and Video Management SystemNo
MilestoneVideo Management SystemNo
Ava AwareCloud-Based Video Management SystemNo
ExacqVideo Management SystemNo
Hanwah/SamsungCameras and Video Management SystemNo
OpenpathCloud-Based Door Access ControlNo
BrivoCloud-Based Door Access ControlNo
EagleEyeCloud-Based Video Management SystemYes
AiPhoneIntercom SystemNo
UbiquitiPoint to Point Wireless, Switches, and Wireless Access PointsYes
BoschCameras, Alarm SystemsUnder Review
Interlogix TruPortalDoor Acces ControlUnder Review

Lenel

Door Access Control, Video, and Visitor Management

Impacted Systems

  • Lenel OnGuard software versions 8.0 (and 8.0 Update 1)

Resolution/Workaround

Statement from Lenel/S2

Our December 16, 2021 memo provided a temporary mitigation for OnGuard software versions 8.0 and 8.0 Update 1, which disabled the vulnerable Log4j code but also disabled the “OnGuard Reporting & Dashboards” functionality. As of Friday, December 17, 2021, a patch is now available for these OnGuard versions that updates the Log4j components to the latest version as of that date, providing a permanent fix for the known Log4j vulnerabilities.

S2

Access Control and Video

Impacted Systems

  • NetBox version 5.4.3 and below
  • NetBox Global software versions 3.0 and below
  • VRx software versions 5.4.2 and below
  • Elements Video Recorder version 2021-1209A and below.
  • NetVR™ software versions 5.4.3 and below

Resolution/Workaround

Statement from Lenel/S2

The products listed above (other than OnGuard software versions 8.0 and 8.0 Update 1) do contain Log4j version 1.2.x, however, that Log4j tool is vulnerable only when configured to use JMSAppender (as explained in CVE-2021-4104 ), which is not the case in any of these Lenels2 products. Nonetheless, it is still our intention to provide updates for these products to eliminate the vulnerable version of Log4j.

Milestone

Video Management System

Not Impacted

https://supportcommunity.milestonesys.com/s/article/Log4J-vulnerability-faq?language=en_US

Axis

Cameras and Video Management System

Not Impacted

https://www.axis.com/support/product-security

Ava Aware

Cloud Based Video Management System Cameras

Not Impacted

Statement from Ava

Ava Aware: All Stable versions – NOT Impacted All Beta versions – NOT Impacted

Ava Cameras: All Stable versions – NOT Impacted All Beta versions – NOT Impacted

Ava Aware Mobile Apps (IOS + Android): All versions – NOT Impacted

Ava Cloud: NOT Impacted

Exacq

Video Management System

Not Impacted

https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Hanwah/Samsung

Cameras and Video Management System

Not Impacted

https://support.hanwhasecurity.com/hc/en-us/articles/4412953216411–Vulnerability-Case-Review-Log4j-vulnerability-report

Openpath

Cloud-Based Door Access System

Not Impacted

https://support.openpath.com/en_us/openpath’s-response-to-apache-log4j-vulnerability-(cve-2021-44228)-rJvJrPBqt

Brivo

Cloud-Based Door Access System

Not Impacted

Statement from Brivo

Brivo does not utilize Log4j for logging within our applications. Brivo’s engineering and
cybersecurity teams are currently analyzing all 3rd party integrations and external
dependencies with other systems to ensure that this vulnerability is not present anywhere
within the larger Brivo ecosystem.

EagleEye

Cloud-Based Video Management System

Fixes being delivered automatically:

https://www.een.com/blog/log4j-security-update/

AiPhone

Not Impacted

Ubiquiti

Point to Point Wireless Network and Wireless Access Points

Impacted Systems

  • Ubiquiti Network Control

Resolution

Update the UniFi Network application to Version 6.5.54 or later.

https://community.ui.com/releases/Security-Advisory-Bulletin-023-023/808a1db0-5f8e-4b91-9097-9822f3f90207

Bosch

Under Review

Bosch will release updates here:

https://www.boschsecurity.com/xc/en/support/product-security/security-advisories.html

Interlogix TruPortal

Under Review

By | 2024-01-24T21:10:38+00:00 December 17th, 2021|Categories: Uncategorized|Tags: , |0 Comments

About the Author:

Related Posts

Locations

Corporate Headquarters - Albany
10 Petra Ln.
Albany, NY 12205
518.452.0124

Ithaca
407 College Ave.
#470, Suite 2
Ithaca, NY 14850
607.280.0397


Adirondack Cabling and Security works with IT teams, architects, building owners, and technology consultants to provide first class structured cabling and electronic security solutions.