SE-SRT-2024-DEMO-001: Log4Shell affects DEMO

Publisher: sematicon AG	Document category: csaf_security_advisory
Initial release date: 2024-04-19T10:00:00.000Z	Engine: Secvisogram 2.5.1
Current release date: 2024-04-19T10:00:00.000Z	Build Date: 2024-04-19T16:04:01.110Z
Current version: 1.0.0	Status: final
CVSSv3.1 Base Score: 10	Severity: Critical
Original language:	Language: en-US
Also referred to:

Summary

This is a demo product.

Product Description

This is a demo product.

Vulnerabilities

Log4Shell (CVE-2021-44228)

CVE description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CWE:	CWE-502:Deserialization of Untrusted Data

Product status

Known affected

Product	CVSS-Vector	CVSS Base Score
sematicon AG DEMO 1.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	10

Fixed

sematicon AG DEMO 1.1

Under investgation

sematicon AG DEMO2 17.4

Remediations

Vendor fix (2023-12-14T11:00:00.000Z)

Update to version 1.1 or later that includes a fixed version of that vulnerability.

For products:

sematicon AG DEMO 1.0

https://example01.test/downloads/?p=abcd&v=1.1

References

CVE-2021-44228 - MITRE CVE JSON (external) https://raw.githubusercontent.com/CVEProject/cvelist/master/2021/44xxx/CVE-2021-44228.json

sematicon AG

Namespace: https://sematicon.com

sematicon AG Security Response Team can be reached at srt@sematicon.com, or via our website at https://security.sematicon.com.

sematicon AG is responsible for vulnerabilities related to their product lines.

References

Log4Shell affects DEMO - CSAF version (self) https://security.sematicon.com/.well-known/csaf/white/2024/se-srt-2024-demo-001.json
Log4Shell affects DEMO - HTML version (self) https://security.sematicon.com/csaf-web/white/2024/se-srt-2024-demo-001.html

Revision history

Version	Date of the revision	Summary of the revision
1.0.0	2024-04-19T10:00:00.000Z	Initial version

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/

Legal disclaimer

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. sematicon AG reserves the right to change or update this document at any time. By using this service you agree to act according to the Traffic Light Protocol in the Version this document is based on. All information is provided under confidentiality.