Tiger Technology & Log4j Vulnerability
Apache Log4j is a popular Java-based logging utility. A zero-day vulnerability and a series of exploits in Apache Log4j logging utility were discovered on Dec 9, 2021, and on the following days. It is known that the affected versions are 2.0 through to 2.15.
Is Tiger Technology impacted by the Log4j vulnerability?
We have performed an assessment of the situation and how Log4j vulnerabilities may affect Tiger Technology products and solutions. Here’s a summary by category:
- Tiger Store, Tiger Spaces and Tiger Bridge do not use Java. These products are not affected by the Apache Log4j vulnerabilities.
- Tiger Technology License Server is using version 1.x of Log4j, which is not listed as an affected version. The server logs static strings and does not allow log messages or log message parameters to be modified.
- Spaces|MAM does not use version 2.x of Log4j and the MAM software is not vulnerable to the LDAP-JNDI exploit. Older versions of the MAM software that had the now obsolete Scheduler used version 1.x of Log4j, which does not have the exploit.
- Tiger Box appliances equipped with 12Gb RAID controllers have Avago’s MegaRAID software. The tool is run only when it is necessary to reconfigure the RAID controller configuration and it does not run as a service in the background. The utility uses version 1.x of Log4j, which does not have the exploit.
Nonetheless, on Dec 12, 2021, we took additional steps to reconfigure the utility following the recommendations of security experts to ensure the server is at no risk of being exposed to the Log4j vulnerabilities. We are also researching the options for updating the utility ensuring compatibility with the rest of the modules of the License Server.
We continue to monitor the situation and will provide updates if any new information is discovered.
Subscribe to our newsletter to get regular updates from Tiger Technology.