...
This article contains a list of known security vulnerability reports in Ayfie products.
How to report security vulnerabilities
You may file your request at https://ayfie-dev.atlassian.net/servicedesk/customer/portal/8 or by email to support-nordics@ayfie.com.
Recent security vulnerabilities
Below is a list of already announced CVE security vulnerabilities. Note that CVEs security vulnerabilities prior to 2021-12-10 are not listed
...
listed. Security vulnerabilities after 2022-08-12 are listed in the release notes of the products/services.
...
Date |
|---|
Announcement
2021-12-10
2021-12-10, Locator and Supervisor affected by Apache Log4J CVE-2021-44228
Severity: Critical
Versions Affected: Locator 2.x and 3.x
Description: Locator releases prior to 3.3.1 were using a bundled Solr that were using a version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Solr security page https://solr.apache.org/security.html .
Locator releases prior to 3.3.1 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423
Locator releases prior to 2.11.903 were using a bundled Solr that were using log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion.
Locator releases prior to 2.11.903 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423.
Mitigation:
For Locator 3.x any of the following are enough to prevent this vulnerability for Locator servers:
Upgrade to
Locator 3.3.2or greater (when available), which will include an updated version of Solr.ZooKeeper mitigation to be announced if any is needed.
For Locator 2.x any of the following are enough to prevent this vulnerability for Locator servers:
...
Upgrade to Locator 2.11 SR9 or greater (when available), which will include, set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true in solr.cmd.in by default.
...
Edit your solr.in.cmd file located in <Locator installation directory>\SOLR\bin\ and add the following line to the end of that file: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true. Stop the Locator Index Builder service. Restart the Locator Index Service. Start the Locator Index Builder service again.
Description | Affected | Not affected | |
|---|---|---|---|
2022-08-12 | Security vulnerability in Ayfie Saga metrics UI (Grafana) |
|
|
2022-08-12 | Security vulnerability in Ayfie Saga metrics UI (Grafana) |
|
|
2022-07-04 | Security vulnerability in Ayfie Saga metrics UI (Grafana) |
|
|
2022-04-29 | Security vulnerability in Ayfie Saga platform gateway |
| |
2021-12-10 | Security vulnerability found in Log4j that might allow execution of malicious remote code. |
|
|