Of the defensive strategies in this diagram, only WAF blocking may be an option with a FileMaker Server behind an appropriate firewall. This diagram from the Swiss government outlines the attack method involved, as well as several defensive options that may be applied. Log4j 1.2.x also has a number of other security vulnerabilities which will not be patched. On December 14, CVE-2021–4104 was published, which allows a similar attack as Log4Shell to be run on older versions of Log4j (1.2.x). The new exploit was patched with the release of Log4j 2.16. Shortly after Log4Shell was patched with the release of Log4j 2.15, a related vulnerability was identified and given the designation CVE-2021–45046. Log4Shell ( CVE-2021–44228) is a zero-day exploit that allows an attacker to trick Log4j2 (v2.0–v2.14) into downloading a malicious package that they want to run on your FileMaker Server. Log4j is a component that is included within many Java-based applications in order to log application activity and errors. What are the Log4j exploits (including Log4Shell)? We strongly urge users on FileMaker Server 17 or lower to take mitigation measures (outlined below in “How do I fix it?”), and to upgrade to FileMaker Server 19 as soon as possible. You should still prioritize upgrading to FileMaker 19, as all other versions are EOL and no longer supported.įileMaker Server 16 and 17 do use Log4j 1.2.15 which has a number of other vulnerabilities, including similarly threatening Remote Code Execution, and is no longer maintained. They have also confirmed that FileMaker Cloud and FileMaker Server 16 and 17 are not susceptible to these specific exploits. Claris Official responseĬlaris has announced that FileMaker Cloud, FileMaker Server 18, and FileMaker Server 19 do not use Log4j2 and are NOT vulnerable to Log4Shell (CVE-2021–44228), or to the subsequent CVE-2021–45046. This blog post is based on work from many members of the community, please see the Thanks section for details. Can you fix Log4Shell on your FileMaker Server? Do you even need to? This post attempts to summarize the latest information available about mitigating the impact of the Log4j exploit on FileMaker Server. You may have seen recent news, or received customer inquiries, about a major security vulnerability going around the internet.
0 kommentar(er)
