Goodmill Products in relation to CVE-2021-44228 impacting Apache Log4j

The zero-day vulnerability CVE-2021-44228 impacting Apache Log4j affects Goodmill Management Servers. Other Goodmill products and services are unaffected.

Management Server uses Elasticsearch log database which utilizes vulnerable Log4j. Elasticsearch is protected against remote code execution with Java Security Manager. However, information leak via DNS might be possible. The leak does not give access to log database, but some environmental information may be leaked.

As a security measure Goodmill Systems will disable property log4j2.formatMsgNoLookups from all Elasticsearch instances in our Management Servers. Customers managing their own instances are recommend to do the same.

Our routers or other services do not utilize log4j.

More info:
https://logging.apache.org/log4j/2.x/security.html
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
https://www.kyberturvallisuuskeskus.fi/en/varoitus_5/2021