The German Federal Office for Information Security (BSI) published a cyber security warning of warning level red on 13 December 2021. Comparable publications were also made in other countries, e.g. National Vulnerability Database of NIST in the USA (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) or by the EU (https://www.enisa.europa.eu/news/statement-on-log4shell).
The reason for this warning of the highest alert level is a critical vulnerability in the widely used Java library log4j, which, according to the security authorities, leads to an extremely critical threat situation. The vulnerability could potentially allow attackers to execute their own program code on the target system and thus compromise the server (source: BSI).
These HORIZONT products are not affected:
- IWS/Audit
- IWS/BatchAD
- IWS/BatchCP
- IWS/Graph (Server and PC Client)
- IWS/WebAdmin for z/OS
- IWS/WebAdmin
- SmartJCL (Base, Change, Interface for IWS z/OS and Control-M)
- XINFO (Application Server, ISPF dialog, scanners)
- ProcMan
Some components of HORIZONT products use log4j but are not affected by this vulnerability.
- XINFO Eclipse Plug-in
- SmartJCL Eclipse Plug-in
XINFO Eclipse plugin and SmartJCL Eclipse plugin use log4j version 1.2.17. This version is not affected by the CVE-2021-44228 vulnerability. The JMSAppender class isn’t used that could allow a similar vulnerability for log4j 1.x (CVE-2021-4104).
The XINFO Eclipse plugin provides an external tool login.jar and login.exe. This tool uses log4j version 2.10.0.
This external tool can be used to store encrypted login data. The login provider extension in the plugin can then decrypt this login data. The login provider also uses the log4j from the plugin (1.2.17) and login.jar is not used anywhere in the plugin.
We don’t see a risk for the login tool, because it’s executed only locally and temporarily.
In case of any further questions, please contact support@horizont-it.com.