...
This article contains a list of known security vulnerability reports in Ayfie products.
How to report security vulnerabilities
You may file your request at https://ayfie-dev.atlassian.net/servicedesk/customer/portal/8 or by email to support-nordics@ayfie.com.
Recent security vulnerabilities
Below is a list of already announced CVE security vulnerabilities. Note that CVEs security vulnerabilities prior to 2021-12-10 is not listed
...
are not listed. Security vulnerabilities after 2022-08-12 are listed in the release notes of the products/services.
...
Date |
|---|
Announcement
2021-12-10
2021-12-10, Locator and Supervisor affected by Apache Log4J CVE-2021-44228
Severity: Critical
Versions Affected: Locator 2.x and 3.x
Description: Locator releases prior to 3.3.1 were using a bundled Solr that were using a version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Solr security page https://solr.apache.org/security.html .
Locator releases prior to 3.3.1 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423
Locator releases prior to 2.11.903 were using a bundled Solr that were using log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion.
Locator releases prior to 2.11.903 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423.
Mitigation:
For Locator 3.x any of the following are enough to prevent this vulnerability for Locator servers:
Upgrade to
Locator 3.3.2or greater (when available), which will include an updated version of Solr.ZooKeeper mitigation to be announced.
For Locator 2.x any of the following are enough to prevent this vulnerability for Locator servers:
...
Upgrade to Locator 2.11 SR9 or greater (when available), which will include, set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true in solr.cmd.in by default.
...
Edit your solr.in.cmd file to include: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true and perform a restart of the Locator Index Service. solr.in.cmd is located in <Program Files>\ayfie\Locator\SOLR\bin\.
Description | Affected | Not affected | |
|---|---|---|---|
2022-08-12 | Security vulnerability in Ayfie Saga metrics UI (Grafana) |
|
|
2022-08-12 | Security vulnerability in Ayfie Saga metrics UI (Grafana) |
|
|
2022-07-04 | Security vulnerability in Ayfie Saga metrics UI (Grafana) |
|
|
2022-04-29 | Security vulnerability in Ayfie Saga platform gateway |
| |
2021-12-10 | Security vulnerability found in Log4j that might allow execution of malicious remote code. |
|
|