January 2022
Critical vulnerabilities in Apache Log4Shell version and impact on FUJITSU Enterprise Postgres
Overview
Security is always a critical topic of discussion and concern for all organizations, and the recent critical Log4Shell security vulnerability CVE-2021-44228 was no different. This critical vulnerability affected almost the entire IT industry.
This vulnerability was given CVSS rating of 10.0, and immediate action was required to stop applications from being exposed. Compromised applications could be serious candidates to be exposed by a malicious entity, and organizations were on the verge of compromising security.
In light of this vulnerability, old Log4j vulnerabilities such as CVE-2019-17571 and CVE-2021-4104 were also reviewed, and it was identified that Log4j 1.x versions were also exposed to this vulnerability in certain configurations.
Fujitsu’s take on security issues
Fujitsu is committed to providing secure products and hence considers security very seriously. Post this vulnerability, Fujitsu did the study of vulnerability and impact analysis on all Fujitsu enterprise products, including FUJITSU Enterprise Postgres.
Fujitsu analysis
Fujitsu analyzed both Log4j 1.x and Log4j 2.x impact on all the supported versions of FUJITSU Enterprise Postgres and concluded the following:
- Log4j 1.x: Fujitsu identified that the reported vulnerabilities are only applicable in non-default configuration and exposed when ‘SocketServer’ functionality and ‘JMSAppender’ feature are used by the applications. Since FUJITSU Enterprise Postgres does not use either of those, ‘CVE-2019-17571 ‘and ‘CVE-2021-4104’ do not impact the product.
- Log4j 2.x: Fujitsu identified that the product is not affected by CVE-2021-44228, as this vulnerability was reported in Log4j 2.x version, however FUJITSU Enterprise Postgres does not use Log4j 2.x.
No impact on customer operations
‘CVE-2021-44228’ , ‘CVE-2021-4104’ and ‘CVE-2019-17571’ are not applicable to FUJITSU Enterprise Postgres, and hence, there is no impact on customer’s environment, therefore no further action is required.
Note about documentation mismatch
As explained above, there are no security issues identified in FUJITSU Enterprise Postgres - however, a minor issue was found in the documentation of products and versions of FUJITSU Enterprise Postgres listed below, where the file OSS_List.pdf (bundled in the installation media) provides mistmatched information regarding Log4j version (it shows version ‘2.12.0’ instead of ‘1.2.17’). This is just a mismatch in the documentation provided , and Fujitsu will address the documentation fix separately
The mismatched information is provided in the documentation for the products/versions below:
- FUJITSU Enterprise Postgres Advanced Edition
Versions: 12, 12 SP1 ,13, 13 SP1 - FUJITSU Enterprise Postgres Advanced Edition for Linux on Z
Versions: 12, 12 SP1,13 - FUJITSU Enterprise Postgres Advanced Edition Operator for Kubernetes
Versions: 12, 13