Apache Log4j Vulnerability (CVE-2021-44228)

Canon Medical Systems Security Advisory

Overview:
It was announced that there is security vulnerability in Apache Log4j, a Java-based logging library provided by The Apache Software Foundation. On a server running Apache Log4j, a remote attacker could execute arbitrary code by sending specially crafted data that exploits this vulnerability.

Vulnerability Overview:
Log4j has a Lookup function that evaluates some values as variables from the character string described in the log. Among the Lookup functions, by exploiting the JNDI Lookup function, the problem (CWE-20, CVE-2021-44228) was discovered that Java class information is deserialized and executed from the external URL or internal path included in the log. This could allow a remote attacker to log a specially crafted string into the vulnerable system's log, resulting in arbitrary Java code being executed by the system.
The Apache Software Foundation has published the following information:

REF: https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
REF: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

-Base CVSS Score : 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0

Possible Affected Canon Medical Systems Products:
The following Canon Medical Systems Corporation products are not using Apache Log4j.

  • CT Medical Imaging Products
  • MR Medical Imaging Products
  • UL Medical Imaging Products
  • XR Medical Imaging Products
  • NM Medical Imaging Products
  • Eye-Care Products
  • Canon DR Products (CXDI_NE) such as Omnera, FlexPro, Soltus
  • VL Infinix-i and Alphenix DFP
  • VL Infinix-i Angio Workstation (AWS)
Canon Medical Products that are affected
  • Vitrea Advanced 7.x
  • VL Alphenix Angio Workstation (AWS)

Mitigations for affected systems:

Contact Us