Wikis - Page

SUPPORT COMMUNICATION - SECURITY BULLETIN – MF Connect

0 Likes

SUPPORT COMMUNICATION - SECURITY BULLETIN – MF Connect

Potential Security Impact: remote code execution

VULNERABILITY SUMMARY

Two potential vulnerabilities have been identified in the Apache log4j library used by MF Connect.

The vulnerability could be exploited to allow remote code execution.

CVE References: CVE-2021-44228, CVE-2021-45046

SUPPORTED SOFTWARE VERSIONS (ONLY impacted versions are listed):

MF Connect – all versions up to and including 4.4.1

CVSS Version 3.1 Metrics:

Reference V3.1 Vector V3.1 Base Score
CVE-2021-44228 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 10 - CRITICAL
CVE-2021-45046 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 3.7 - LOW


RESOLUTION:

Hotfix 7 for MF Connect 4.4.1 addresses both vulnerabilities by using log4j-core-2.16.0.
Please download from the MF Connect Core marketplace page and carefully read and follow the accompanying install instructions: https://marketplace.microfocus.com/appdelivery/content/micro-focus-connect-core

If you are using an older version of MF Connect, we strongly urge you to upgrade as soon as possible. If this is not possible, please refer to the attached document for mitigation guidance.

For the latest mitigation guidance, please refer to https://logging.apache.org/log4j/2.x/security.html.

DOCX

Tags:

Labels:

Announcement
Comment List
Related
Recommended