Computronix Advisory on Log4Shell (CVE-2021-44228)
Since the details of this vulnerability were published, Computronix has reviewed our internal infrastructure, shipping code, and procedures for installation in client environments.
Based on this analysis, Computronix does not believe this to have a significant impact on Computronix or our clients. There are a number of reasons for this position including:
- No use of Java is made in currently shipping Computronix products (POSSE, POSSE ABC, POSSE LMS, POSSE Mobile, POSSE ePlans).
- Computronix installation instructions do not require Java to be installed on any client machine (desktop or server).
- No use of Java is made from within the Oracle database.
- POSSE does not support Java-based web servers or application servers (e.g., Tomcat, Jetty, Oracle WebLogic, JBoss).
- POSSE ePlans Cloud does use a third-party Java application. Vendor was engaged to provide guidance on this vulnerability. Vendor confirmed that Log4J is not utilized in any way. Regardless, mitigations have been put in place – note, the Java application is not exposed outside of the internal POSSE ePlans Cloud infrastructure.
- While Computronix uses some third-party services (like Atlassian’s Jira and Atlassian’s BitBucket) that use Java and may be affected by CVS-2021-44228, these services:
- Do not have access to any client data
- Do not require Log4J to be installed on any system accessing them
- Are accessed only by a web-based interface
Computronix has been in contact with those providers and, if required, will be implementing mitigations and/or updates as soon as they are available.
- The initial installation of the Oracle database software includes and requires Java. In addition, when a new database is created, Oracle may create a website for management of the database (Oracle Enterprise Manager Database Express).
- If Computronix creates the database, our procedure is to disable this website.
- This website is not exposed externally. This means that an attacker would need to breach your environment before attempting to exploit this vulnerability.
Given these findings, Computronix is recommending that clients take the following actions:
- Update any Java-based third-party tools that access the POSSE databases.
- Verify that any third-party site you interface to (e.g., payment processor, accounting system) has addressed this vulnerability.
- If you are running Oracle in your datacenter and you are using Oracle Enterprise Manager, either restrict access to the website via IP, or upgrade Oracle Enterprise Manager.
NOTE: Oracle Enterprise Manager is a designation for multiple products, such as Enterprise Manager Cloud Control, Enterprise Manager Express, and Enterprise Manager Database Express.
If you have any questions, please contact either: