Document toolboxDocument toolbox

Vidispine

CVE-2021-44228

Hello, you probably have seen CVE-2021-44228, which affects log4j. After analyzing the products' use of log4j, we have come to the following conclusion:

  • VidiFlow and Camunda are not affected.

  • VidiCore and VSA do not use log4j2, or only with controlled output*.

  • ElasticSearch 6 is not susceptible to RCE.

  • Solr is also not susceptible as VidiCore will escape all texts sent to Solr**.

  • ActiveMQ is not using log4j2.

No services running on VidiNet are affected.

However, even with all of the products above not affected by the vulnerability, we recommend that the pattern format is updated by changing %m to %m{nolookups} for VidiCore, ElasticSearch, and Solr. Please contact Vidispine if you have any questions on how this is done on your system.


* VidiCore does use log4j2 but only when running the database migration script. During the database migration, there is no possibility for user input into the logs. That is, an attacker cannot insert custom logging text during the migration. For all other purposes, VidiCore uses Logback, which is not affected.

** Queries sent by VidiCore are logged by Solr. However, special characters are escaped as part of the query. Hence, an attacker cannot perform a query and make Solr emit the ${jndi: text.