Apache Log4j Vulnerability (CVE-2021-44228)
Summary
A zero-day vulnerability was disclosed on December 9, 2021 in the Apache Log4j logging utility. This tool is included in, and leveraged by, many other software products, and as such other systems need to be evaluated for this vulnerability. Alpha Software has analyzed our software products, services, and internal systems and detailed the results below.
Alpha Software Analysis
Affected Supported Alpha Software Products: None
Remediation Required: None
Alpha Anywhere, Alpha Anywhere Application Server, and Alpha Anywhere Application Server for IIS do not use or include Apache Log4j in any way. As such, none of these software products are impacted by the recently discovered vulnerability and no remediation is necessary.
Affected Alpha Software Services: Alpha Cloud, TransForm
Remediation Required: None
Alpha Cloud uses Alpha Anywhere Application Server for IIS, which as discussed above has no vulnerability related to Apache Log4j. However, Alpha Cloud is hosted on Amazon Web Services (AWS) and AWS in turn does use Apache Log4 j in various ways. AWS has already addressed these issues, as detailed at https://aws.amazon.com/security/secu.../AWS-2021-006/
TransForm is built using Alpha Anywhere and is hosted on Alpha Cloud. By way of being hosted on Alpha Cloud, TransForm too is dependent on AWS, which has already completed remediation as detailed above.
Affected Unsupported Alpha Software Products: Unknown
Remediation Required: Unknown
All versions of Alpha Software products prior to Alpha Anywhere (e.g. Alpha Five, Alpha Four, etc.) have had official support discontinued. As such, these products have not been evaluated for any vulnerabilities. No guarantee can be made regarding this vulnerability or any other vulnerabilities in these products. All users of these older versions are strongly encouraged to update to a current release of Alpha Anywhere which is officially supported by Alpha Software.
Additional Customer Action
As Apache Log4j is so widely used in many systems, Alpha Software urges all customers to fully evaluate all systems in use in their environment and update any use of Log4j to the latest version as soon as possible. While Alpha Software's products and services are not directly impacted by this vulnerability, other software running on customer systems may be, which could lead to the potential compromise of a system on which Alpha Software products are running.
Additional Alpha Software Action
Security is a top concern at Alpha Software and as such we continue to monitor developments related to this vulnerability and will reevaluate software and systems as needed based on any new information.
Summary
A zero-day vulnerability was disclosed on December 9, 2021 in the Apache Log4j logging utility. This tool is included in, and leveraged by, many other software products, and as such other systems need to be evaluated for this vulnerability. Alpha Software has analyzed our software products, services, and internal systems and detailed the results below.
Alpha Software Analysis
Affected Supported Alpha Software Products: None
Remediation Required: None
Alpha Anywhere, Alpha Anywhere Application Server, and Alpha Anywhere Application Server for IIS do not use or include Apache Log4j in any way. As such, none of these software products are impacted by the recently discovered vulnerability and no remediation is necessary.
Affected Alpha Software Services: Alpha Cloud, TransForm
Remediation Required: None
Alpha Cloud uses Alpha Anywhere Application Server for IIS, which as discussed above has no vulnerability related to Apache Log4j. However, Alpha Cloud is hosted on Amazon Web Services (AWS) and AWS in turn does use Apache Log4 j in various ways. AWS has already addressed these issues, as detailed at https://aws.amazon.com/security/secu.../AWS-2021-006/
TransForm is built using Alpha Anywhere and is hosted on Alpha Cloud. By way of being hosted on Alpha Cloud, TransForm too is dependent on AWS, which has already completed remediation as detailed above.
Affected Unsupported Alpha Software Products: Unknown
Remediation Required: Unknown
All versions of Alpha Software products prior to Alpha Anywhere (e.g. Alpha Five, Alpha Four, etc.) have had official support discontinued. As such, these products have not been evaluated for any vulnerabilities. No guarantee can be made regarding this vulnerability or any other vulnerabilities in these products. All users of these older versions are strongly encouraged to update to a current release of Alpha Anywhere which is officially supported by Alpha Software.
Additional Customer Action
As Apache Log4j is so widely used in many systems, Alpha Software urges all customers to fully evaluate all systems in use in their environment and update any use of Log4j to the latest version as soon as possible. While Alpha Software's products and services are not directly impacted by this vulnerability, other software running on customer systems may be, which could lead to the potential compromise of a system on which Alpha Software products are running.
Additional Alpha Software Action
Security is a top concern at Alpha Software and as such we continue to monitor developments related to this vulnerability and will reevaluate software and systems as needed based on any new information.