BSI security warning: log4j

created by KISTERS AG |

potential vulnerability of software modules provided by the (Apache) Tomcat server

Visit the KISTERS AG website for the official statement or update about the IT security incident.

Our development teams have identified unaffected and potentially affected software modules from the security warning issued by the BSI for log4j (see below) and have informed our customers about recommended measures by mail in the past two days.

The (Apache) Tomcat server is not affected by the vulnerability, but potentially the software modules provided with this service (may be).

13 December 2021: BSI log4j initial assessment

Latest warning from the German Federal Office for Information Security (BSI) entitled "Critical vulnerability in log4j published (CVE-2021-44228)". [The warning was issued in German.]

The logging library log4j is used in many Java applications. These include web servers exposed on the internet/intranet such as the (Apache) Tomcat service, which is also used by KISTERS software. As the vulnerability can be exploited on a large scale on the internet and this is apparently already happening, the BSI has now given it a rating of "4 / Red: The IT threat situation is extremely critical".

(KISTERS) We therefore recommend that our customers

1. check the security settings of their web servers at short notice and

2. in particular implement the first measure recommended by the BSI:

Servers should generally only be allowed to establish connections (especially to the internet) that are absolutely necessary for the purpose of use. Other accesses should be prevented by appropriate control instances such as packet filters and application layer gateways. [BSI2021b].

(KISTERS) We have implemented this measure for our customers who use the KISTERScloud (hosted services).

Our development teams are currently investigating which software solutions could be specifically affected and which additional measures can be taken to reduce the risk of exploitation of the vulnerability.