On 10 December 2021, a RCE (remote code execution) exploit was exposed on several versions of the Apache Log4j 2 utility. Affected code exists in log4j core libraries: log4j-core-*.jar, versions 2.0 to 2.17.0. Subsequent updates detailed other related exploits are also considered.
Log4j is a logging component which runs under Java and is commonly bundled with unrelated software.
Roos Instruments performed a detailed audit and validation by the IT and Software Development teams, we can confirm that Roos Instruments services are not affected by this vulnerability (CVE-2021-44228 or related). First, we have validated that Roos Instruments services are not configured to implement the log4j-core package. Furthermore, no affected files were found when searching OS Images for the Cassini System Controllers (OS/2, eComStation, ArcaOS), and Cassini Virtual Workstations (ArcaOS). Nothing was found when searching Guru Server images based on xUbuntu. Therefore, no action is required by users of Roos Instruments products regarding this issue.
Guru Server is typically installed on xUbuntu or RHEL/CentOS and does NOT contain the affected packages. 3rd party applications may use affected package as a dependancy and since these distributions do offer access to affected packages that ARE AFFECTED , all OS security updates should ALWAYS be applied. Since Guru Servers are expectedd to operate air-gapped from the internet and heavily firewalled, this is not considered a critical vulterability due to ample mitigation efforts. Nevertheless, it is still recommended to apply all available security updates.
Java 6 is installed on the embedded OS (OS/2, eComStation, ArcaOS) of which there may be Risk Assesment and Mitication steps that could be performed if 3rd party applications are installed. (See Figure 1)
Figure 1: Search Results on ArcaOS > Find Objects > log4j-*.jar
Roos Instruments has examined and validated that none of the following Java applications use the vulnerable libraries: Guru Agent, Guru Agent Editor, Guru Browser, Guru Explorer, Db Manager, and any other available Guru application written with Java.
This applies to the following Roos Instruments products:
- Model: Cassini. System Controller EPC and Cassini Virtual Workstation (OS/2, eComStation, ArcaOS), both of which include the JRE and various java applications.
- Model: RI7100A (OS/2 and eComStation 1.2) is also not affected, no Java based software included.
- Guru Server on Linux