CyberFlood v21.7 & Avalanche v5.27: Announcing new security fix for Log4j Vulnerabilities CVE-2021-44228 and CVE-2021-45046

N/A

Announcing CyberFlood v21.7.1025 and Avalanche v5.27.1286 Releases VIAVI is pleased to announce updated security releases of CyberFlood v21.7 and Avalanche v5.27 which include the fix for the Log4j Vulnerabilities CVE-2021-44228 and CVE-2021-45046.   On December 9th, due to the severity and widespread impact, it was globally disclosed that vulnerabilities were identified in the popular Log4j logging tool utilized by many in the Java ecosystem. The vulnerabilities allow possible attackers to perform remote code execution by exploiting the insecure JNDI lookups feature exposed by the logging library Log4j.    VIAVI identified that Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) resolve this issue by removing support for message lookup patterns and disabling JNDI functionality by default. Impact to Avalanche Commander UI: Exposed through the utilization of Log4j 1.x. No other applications or functionality utilized Log4j within Avalanche Commander. Impact to CyberFlood Controller: Exposed through the utilization of Log4j 1.x. No other applications or functionality utilized Log4j within the CyberFlood Controller software. Mitigation: VIAVI has updated the most recent releases of CyberFlood v21.7 and Avalanche v5.27. In order to mitigate this vulnerability, we recommend that our customers upgrade to the latest GA releases immediately. VIAVI has also reviewed Log4j 2.17.0. This fix was provided for specific context lookup functionality, which CyberFlood and Avalanche do not utilize/implement in their solutions, CyberFlood and Avalanche are not impacted by CVE-2021-45105. Therefore, our products are not vulnerable, and the 2.16.0 implementation is sufficient.   Avalanche Commander UI (users must uninstall 5.27.1076 before installing 5.27.1286)Avalanche TCL users need to update to Java 8 and CentOS 6.10 to support 5.27.1286 (see Avalanche release notes for full list of supported OS and versions)CyberFlood Controller (Must be running 21.7.1014 before updating to 21.7.1025)For CyberFlood Virtual users, the CyberFlood Virtual instance (CFv) was not impacted by this vulnerability. However, if you upgrade to CyberFlood Controller v21.7, you must match the correct CFv instance version. More information can be found on support.VIAVI.com at FAQ19829 Where to get more release information   For important information on this security release for Avalanche, see release notes DOC12376 For important information on this security release for CyberFlood, see release notes DOC12379   If you need more information or assistance, please contact support@VIAVI.com