Impact of Log4j vulnerability on GFI

A new 0-day vulnerability, formally known as CVE-2021-44228, was published on the NIST National Vulnerability Database on Friday, December 10. It is found in the Log4j Java library. 

Log4j is a popular open source logging library made by the Apache Software Foundation. The security vulnerability found in Log4j allows hackers to execute remote commands on a target system. The severity of the vulnerability is classified as “Critical” by NIST.

How are GFI products impacted?

The GFI development team is reviewing our products for use of Log4j.

A function of Kerio Connect utilizes Log4j, and a recommended mitigation is identified below.

If we identify any additional recommended mitigations, we will provide a follow up communication. Additional information, when available, will also be posted on this page.

Kerio Connect vulnerability mitigation

Log4j is used in Kerio Connect as part of the chat function. We recommend that all Kerio Connect users temporarily disable the chat function in the software.

To disable chat in Kerio Connect:

  1. Go to Configuration.
  2. Click on Domains.
  3. Double-click on the desired domain.
  4. Find the “Chat” section on the General tab.
  5. Deselect the “Enable chat in Kerio Connect Client.” option.
  6. Repeat the above steps for all of your email domains.

Kerio Connect security hotfix

Work has already started on a security hotfix for Kerio Connect. We intend to deliver a public release in the next few days.

We will send a follow-up notification to all Kerio Connect customers at your registered email when the release is available.

 

Update 2021. 12. 21.

We are pleased to announce that Kerio Connect 9.3.1p2 is available. This security release addresses the vulnerability related to Log4j, formally known as CVE-2021-44228.

Release notes:

  • Apache log4j2 library upgrade to version 2.16.0 (fixing CVE-2021-44228 vulnerability)

The new version can be downloaded from the GFI Upgrade Center.

We recommend that all Kerio Connect customers install version 9.3.1p2 as soon as possible.

Once Kerio Connect 9.3.1p2 is deployed, the chat function can be safely re-enabled.

Update 2022. 01. 13.

We are pleased to announce the release of Kerio Connect 9.4. This latest version introduces several key security enhancements, including the implementation of Log4j 2.17.0 to solve the denial of service vulnerability, formally known as CVE-2021-45105 present in the previous version.

The complete list of release notes is available on our website.

The new version can be downloaded from the GFI Upgrade Center.

We recommend that all Kerio Connect customers install version 9.4 as soon as possible.

Update 2022. 01. 14.

The GFI development team has reviewed our products for use of Log4j. Here are the results of the assessment:

Product Result How to fix
Exinda Network Orchestrator Not impacted
Exinda SD-WAN Not impacted
GFI Archiver Not impacted
GFI EndPointSecurity Not impacted
GFI EventsManager Not impacted
GFI FaxMaker Not impacted
GFI Helpdesk Not impacted
GFI LanGuard Not impacted
GFI MailEssentials Not impacted
Kerio Connect Impacted (Version 9.3.1p1 and below) Upgrade to version 9.4
Kerio Control Not impacted
Kerio Operator Not impacted