Dear Valued Partners and Customers,
Y Soft is aware of the current vulnerability in one widely used Java logging library: Apache Log4j. This library is a de-facto market standard for logging and troubleshooting Java applications with millions of applications using this library worldwide. YSoft SAFEQ is one of them. This vulnerability has been reported and tracked as
CVE-2021-44228 (mitre.org) and
CVE-2021-44228 (nist.gov).
Y Soft acknowledges that YSoft SAFEQ 6 is one of the applications that is affected by this vulnerability. We would like to advise our partners and customers on how to mitigate the risk of exploiting this vulnerability. Please note that previous versions of SAFEQ, notably 4 and 5, are not affected.
The course of action for SAFEQ on-premises:
1. As a precaution, we recommend temporarily switching off logging in YSoft SAFEQ. A step-by-step guide will be published today (December 13, 2021).
2.
Immediate Workarounds:
- We are preparing a workaround for customers running SAFEQ 6 B22 (and newer) to mitigate the vulnerability by reconfiguring bundled logging libraries. No library updates will be required. This workaround will be published today (December 13, 2021) through Y Soft Partner Portal.
- We are preparing an automated security update script for customers running versions prior to SAFEQ 6 B22 to patch vulnerable libraries. We are now testing that this replacement will not impact SAFEQ’s functionality. We will confirm availability of the script later today (December 13, 2021).
3.
FIX: We are postponing the upcoming release of YSoft SAFEQ 6 B64 in order for it to contain a complete fix of this security vulnerability. We expect to confirm the release date by tomorrow, December 14, 2021.
The course of action for
SAFEQ Managed and SAFEQ Cloud:
Customers using SAFEQ Cloud and SAFEQ Managed will receive a fix automatically. We will inform you about this process later today (December 13, 2021).
In Brno on December 13, 2021
Martin de Martini
YSoft SAFEQ Product Owner and CIO