Vulnerability in Log4j (CVE-2021-45105)
Update: 22 Dec 2021
Due to an issue that may result in some customers experiencing cloud connection problems, we suspended the release of Snow Commander 8.10.2. We recommend that customers who did install Snow Commander 8.10.2 to upgrade to Snow Commander 8.10.3 should they experience cloud connection issues.
As stated below, we strongly recommend that customers using any version of Snow Commander and the VM Access Proxy upgrade to Snow Commander 8.10.3 and/or VM Access Proxy 3.7, which is targeted to be released by Snow Software on December 22, 2021.
//
Snow Software provided guidance regarding the Log4j vulnerability (CVE-2021-44228) on 15th December 2021 and 16th December 2021 based on recommendations from the Apache Software Foundation. This KB includes updated guidance (20 December 2021) based on a new Log4j vulnerability (CVE-2021-45105).
Snow Software posted a response to an earlier Log4j vulnerability (CVE-2021-44228) on Wednesday, December 15, 2021 (see original announcement here ). TheLog4j library is developed by the open-source Apache Software Foundation and is a key Java-logging framework.
Due to new guidance issued by the Apache Software Foundation Snow Software learned of the latest flaw in Log4j () after releasing Commander 8.10.0/8.10.1 and VM Access Proxy 3.6 (versions that included Log4j 2.16.0 that was reported by Apache Software Foundation to address the earlier Log4j flaw CVE-2021-44228). As per the original announcement, it is only Snow Commander and the VM Access Proxy that are affected by the vulnerability, and no other Snow products are impacted.
We strongly recommend that customers using any version of Snow Commander and the VM Access Proxy upgrade to Snow Commander 8.10.3 and/or VM Access Proxy 3.7, which is targeted to be released by Snow Software on December 22, 2021. These versions contain Log4j 2.17.0, which the Apache Software Foundation states will address CVE-2021-45105. This recommendation also applies to customers who upgraded to Commander 8.10.0/8.10.1 and/or VM Access Proxy 3.6.CVE-2021-45105) after releasing Commander 8.10.0/8.10.1 and VM Access Proxy 3.6 (versions that included Log4j 2.16.0. As per the original announcement, it is only Snow Commander and the VM Access Proxy that are affected by the vulnerability, and no other Snow products are impacted.
We strongly recommend that customers using any version of Snow Commander and the VM Access Proxy upgrade to Snow Commander 8.10.3 and/or VM Access Proxy 3.7, which is targeted to be released by Snow Software on December 22, 2021. These versions contain Log4j 2.17.0, which the Apache Software Foundation states will address CVE-2021-45105. This recommendation also applies to customers who upgraded to Commander 8.10.0/8.10.1 and/or VM Access Proxy 3.6.
The Snow Software team will continue to monitor the situation and keep you informed with any updates or further actions necessary.
We understand that this remedial action is an inconvenience, should you have any further questions please post them in this thread and we will do our best to address them. Thank you.
Advice for Snow Commander
Snow Software provided guidance regarding the Log4j vulnerability (CVE-2021-44228) on 15th December 2021 and 16th December 2021 based on recommendations from the Apache Software Foundation. This KB includes updated guidance (20 December 2021) based on a new Log4j vulnerability (CVE-2021-45105).
- Affected versions: All versions of Snow Commander, through and including version 8.10.1
- CVE record: CVE-2021-45105
- ​​​​​Description:
- A flaw in Log4j 2.16.0 (CVE-2021-45105), a Java library for logging error messages in applications, has a severity score of 7.5 (out of 10).
- A fix for an earlier version of Log4j was reported on 10 December 2021 (CVE-2021-44228, with severity score of 10). Snow Commander 8.10.0/8.10.1 included Log4j 2.16 to address this earlier flaw (see this KB article for more details), but is now vulnerable based on the new flaw (CVE-2021-45105).
- Net: All versions of Snow Commander (through version 8.10.1) and the VM Access Proxy (through version 3.6) are affected by one of the identified Log4j vulnerabilities.
- Snow Recommendation
- Customers running any version of Snow Commander should upgrade to Snow Commander 8.10.3 at the earliest opportunity.
- Customers running any version of Snow Commander should upgrade to Snow Commander 8.10.3 at the earliest opportunity.
Snow Software provided guidance regarding the Log4j vulnerability (CVE-2021-44228) on 15th December 2021 and 16th December 2021 based on recommendations from the Apache Software Foundation. This KB includes updated guidance (20 December 2021) based on a new Log4j vulnerability (CVE-2021-45105).
- Affected versions: All versions of VM Access Proxy, through and including version 3.6.
- CVE record: CVE-2021-45105
- Description:
- A flaw in Log4j 2.16.0 (CVE-2021-45105), a Java library for logging error messages in applications, has a severity score of 7.5 (out of 10).
- A fix for an earlier version of Log4j was reported on 10 December 2021 (CVE-2021-44228, with severity score of 10). VM Access Proxy 3.6 included Log4j 2.16 to address this earlier flaw (see this KB article for more details), but is now vulnerable based on the new flaw (CVE-2021-45105).
- Net: All versions of Snow Commander (through version 8.10.1) and the VM Access Proxy (through version 3.6) are affected by one of the identified Log4j vulnerabilities.
- Snow Recommendation
- Customers running any version of VM Access Proxy should upgrade to VM Access Proxy 3.7 at the earliest opportunity.
