Summary

Laserfiche is aware of the publicly disclosed Apache Log4j 2 remote code execution vulnerability described in CVE-2021-44228.

Our downloadable software products, including Laserfiche Rio and Laserfiche Avante, do not ship with or use Log4j 2. Laserfiche Cloud, which is our multitenant SaaS platform, has some backend systems that use some versions of Log4j 2. Patches have already been applied to Laserfiche Cloud to mitigate the vulnerability.

This article summarizes any potential impacts to Laserfiche products.

Laserfiche Self-hosted and Locally Installed Products and Modules

Laserfiche's downloadable software products, including Laserfiche Rio and Laserfiche Avante, do not ship with or use Log4j 2. Some of these Laserfiche software products use Log4Net, a .NET port of Log4j that is not affected by CVE-2021-44228. Please see the following from Apache:

• Apache projects affected by log4j CVE-2021-44228

Laserfiche Cloud

Laserfiche Cloud contains some backend systems that use Log4j 2. Security testing has not identified any exploitable vulnerabilities related to this issue in Laserfiche Cloud. As a standard preventative measure, the associated backend systems have been patched to mitigate the vulnerability.

Laserfiche Cloud relies on select AWS services that may also be impacted by the vulnerability. Amazon has stated that they are working on addressing the issue for any AWS services which use Log4j 2. Please see the following statement from Amazon on the vulnerability:

• Amazon - Update for Apache Log4j2 Issue (CVE-2021-44228)

Other Mitigations

We also recommend that customers check whether any integrations or other non-Laserfiche software may be impacted and to check for potential patches.

Related Links

• Apache Log4j Security Vulnerabilities
• CVE-2021-44228 details at NIST.org
• CVE-2021-44228 description at cve.mitre.org
• Amazon's security bulletin for CVE-2021-44228