No Updated Flasphoner for log4j?

Max

Administrator
Staff member
Good day.
According to CVE description https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
In case of WCS, an external attacker cannot control log messages or log message parameters because the only log configuration file is log4j.properties file which is placed in /usr/local/FlashphonerWebCallServer/conf folder. So, to exploit this vulnerability, an attacker must already have an access to the server file system. The attack vector can be easily closed by system admin.
The is also the ticket WCS-2521 to update log4j library. We raised it priority and let you know results in this topic.
 
Top