Minor Security Issue with Log4Net
There was recently a security issue published on the internet about the Apache Log4net component:
https://www.cvedetails.com/cve/CVE-2018-1285/
Unlike the previous issue about Apache Log4J, Clarity DOES in fact use this component.
We do not believe that this security issue meaningfully affects Clarity customers. Here is why:
|
Product Version |
Assessment | |
| Clarity Host 2021.0 - Clarity 2022.1 | These versions use log4net 2.0.11. The security alert only affects 2.0.10 or lower. | |
| Clarity Host 2020.1 and lower | These versions are theoretically exposed, but the nature of the above issue and how it is deployed in Clarity means that the attacker must be able to modify the log4net file on the host server (and the server is typically closely controlled). No incremental gain of function seems possible without access to the server. If you would like to upgrade to avoid the issue, please reach out for assistance.... |
| Product Version | Assessment |
| Clarity Task Server 2022.0 - Clarity Task Server 2022.1 | These versions use log4net 2.0.11, and the security alert affects 2.0.10 and lower. |
| Clarity Task Server 2021.1 and lower | As above, These versions are theoretically exposed, but the nature of the above issue and how it is deployed in Clarity means that the attacker must be able to modify the log4net file on the host server (and the server is typically closely controlled). No incremental gain of function seems possible without access to the server. If you would like to upgrade to avoid the issue, please reach out for assistance. |
If you have concerns about this issue, please reach out to us via support (at) rand.com.
