K3 Business Technology : update on Log4j vulnerability

Date: 17/12/2021

As many of you will be aware, the National Cyber Security Centre (NCSC) has advised organisations to take steps in mitigating the recent Apache Log4j vulnerability.

At K3, we've assessed the vulnerability with both internal and external reviews. During our initial analysis, we have not identified Log4j vulnerabilities. We will also continue to work with our partners and suppliers to assess the evolving situation.

Notwithstanding, in line with the market and best practice, we strongly advise all users of our products to assess their own environments, to detect vulnerabilities and alert us immediately if any are found.

What is the vulnerability?

An unauthenticated remote code execution vulnerability (CVE-2021-4428) which affects Apache Log4j versions 2.0-beta9 to 2.14.1 was recently uncovered.

Apache Log4j is a market standard logging tool that is used in many Java-based applications.

The vulnerability can allow an unauthenticated attacker to gain access to a target system. It can be triggered when a specially crafted string is parsed and processed by the vulnerable Log4j 2 component. This could potentially happen through your own user provided input.

Since the vulnerability is in a Java library, it is exploitable on a multitude of platforms including Windows, MacOS and Linux.

We would like to reiterate that our analyses, so far, have not identified vulnerabilities in our products and we will continue to monitor them.

We also encourage you to conduct your own controls and security audits to ensure you are not exposed.

In the meantime, please see below for statements from K3 on our products:

K3|fashion & K3|pebblestone

K3|fashion and K3|pebblestone are based on the Dynamics 365 platform and to date, our analysis has not identified any compromises.

For more information on Azure and the Microsoft stack concerning the CVE-2021-4428 vulnerability, please read Microsoft's response.

K3|imagine

The infrastructure and tools that K3|imagine utilises to develop and host applications securely have been assessed.

Our analysis has concluded, at this time, that they are not vulnerable to CVE-2021-4428.

K3 Point of Sale solutions

K3 has also conducted internal and external assessments of our retail products DdD, Cowis, RVE and MStore - alongside key components of their hosting environments - and we have so far not discovered any vulnerabilities related to CVE-2021-4428.

K3|dataswitch

K3|dataswitch has been initially assessed and no vulnerabilities in relation to CVE-2021-4428 have been found.

K3 ERP and Financials

K3's products SmartVision, Omnis and Sigma have been assessed and no vulnerabilities have been found.

The reports produced by these products use Crystal reporting, please refer to the SAP website for details regarding vulnerabilities in any Crystal editor you may use.

For more information on the Log4j vulnerability and advice, please read the NCSC's alert and guidance.