Canon Medical Systems Security Advisory
Overview:
It was announced that there are security vulnerabilities in Apache Log4j, a Java-based logging library provided by The Apache Software Foundation. On a server running Apache Log4j, a remote attacker could execute arbitrary code by sending specially crafted data that exploits these vulnerabilities.
Vulnerability Overview:
Log4j has a Lookup function that evaluates some values as variables from the character string described in the log. Among the Lookup functions, by exploiting the JNDI Lookup function, the problem (CWE-20, CVE-2021-44228) was discovered that Java class information is deserialized and executed from the external URL or internal path included in the log. This could allow a remote attacker to log a specially crafted string into the vulnerable system's log, resulting in arbitrary Java code being executed by the system. CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832 were also reported after CVE-2021-44228. All vulnerabilities were fixed in the latest Log4j version (2.17.1).
The Apache Software Foundation has published the following information:
REF: https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
REF: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
-Base CVSS Score :
CVE-2021-44228 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45046 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2021-45105 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2021-44832 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
-Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.17.1
Possible Affected Canon Medical Systems Products:
The following Canon Medical Systems Corporation products are not using Apache Log4j.
© CANON MEDICAL SYSTEMS CORPORATION
© CANON MEDICAL SYSTEMS CORPORATION
The site you see is the Canon Medical Global website. If you choose region / language, we will link to each regional site.