No Updated Flasphoner for log4j?

[auronsan14]

There is issue about log4j for zero day attack.

when flashphoner plan for update this issue?

[Update: CISA issues Log4j vulnerabilities scanner] Log4j zero-day "Log4Shell" arrives just in time to ruin your weekend

A zero-day vulnerability with a CVSS score of 10.0 has been discovered in Apache's hugely popular Log4j utility.

blog.malwarebytes.com

 

[Max]

Good day.
According to CVE description https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

In case of WCS, an external attacker cannot control log messages or log message parameters because the only log configuration file is log4j.properties file which is placed in /usr/local/FlashphonerWebCallServer/conf folder. So, to exploit this vulnerability, an attacker must already have an access to the server file system. The attack vector can be easily closed by system admin.
The is also the ticket WCS-2521 to update log4j library. We raised it priority and let you know results in this topic.

 

[Max]

We also have tested the latest build 5.2.1109, and the vulnerability cannot be exploited, please see test results.