As the Apache Log4j2 vulnerability (CVE-2021-44228) was disclosed on Dec 09, 2021, your EOS 360 teams have been actively monitoring the issue and assessing its impact on the products
EOS server for z/OS and EOS 360 server for z/OS
=> NO impact
EOS server for Open Sytems and EOS 360 server forOpen Sytems
=> NO impact
Folders server for z/OS
=> NO impact
Folders server for Open Systems
=> NO impact
Eos ThinClient all version use log4j1
=> NO impactEOS Access < 2.2.0 use log4j1
=> NO impact
EOS Access >= 2.2.0 NO log4j1 =>
NO impact
Folders ThinClient all version use log4j1 => NO impact
Doc2Print ThinClient all version log4j1 => NO impact
Additionnal information for log4j1
Rocket EOS and Folders client use log4j 1.x. While there might be some exposure, the issue for log4j 1.x is rated as being "moderate impact" by redHat.
https://access.redhat.com/security/cve/cve-2021-4104
The vulnerability in log4j is related to the class JMSAppender
Rocket EOS and Folders ThinClients
- do NOT use JMSAppender
- do NOT provide a log4j configuration file
EOS access 2.1.8
- does provide a log4j.xml file, but does NOT contain JMSAppender
General Log4j 1.x mitigation:
- Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
- Forbid write access to your log4j1 config file (xml or properties)
Please feel free to reach out to support or product management should you have any questions or concerns regarding z/Trim and the Apache Log4j security vulnerability.
------------------------------
Martin Floret
Product Management Director
Geneva Switzerland
------------------------------