Several vulnerabilities were recently discovered related to systems/software that run Apache Log4j. More information about these vulnerabilities can be found here:
National Vulnerability Database - CVE-2021-44228 (nist.gov)
National Vulnerability Database - /CVE-2021-45046 (nist.gov)
National Vulnerability Database - CVE-2021-45105 (nist.gov)
This is an industry-wide vulnerability affecting the Apache Log4j itself and is not specific to Metalogix Essentials for Office 365.
How does this affect me?
Metalogix Essentials 2.9 ships with Log4j version 2.13 which is susceptible to CVE-2021-44228 and potentially to CVE-2021-45046 and CVE-2021-45105.
Metalogix Essentials is an on-premises product which is installed within the protected perimeter of the customer’s environment.
As such the exploitability of these vulnerabilities is more limited and consequently the overall risk to the customer environment or data is lower than the published severity of CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.
Metalogix Essentials 2.7 and 2.8 are not affected by CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 as these versions ship with Log4j version 1.x with no JMSAppender extension.
We recommend nonetheless that customers using 2.7 or 2.8 update as well to the latest version.
Resolution
To resolve this issue, download Metalogix Essentials 2.9.0.6.
Please review the following knowledge base 336000 for further details on this issue.
We apologize for the inconvenience this issue may have caused and look forward to assisting you in the future.© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
