Madsonic Newsletter 01/2022

About Madsonic / Announcements and discussion of new releases.
User avatar
Madsonic
Administrator
Administrator
Posts: 984
Joined: 07 Dec 2012, 03:58
Answers: 7
Has thanked: 1201 times
Been thanked: 470 times

Madsonic Newsletter 01/2022

Unread post by Madsonic »


Dear Madsonic Community :!:


Log4j: about vulnerability

Log4j is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency.

In December 2021, a number of vulnerabilities were reported in Log4j:

CVE-2021-44228 - referred to as the "Log4shell" vulnerability, affects Log4j versions 2.0-beta9 to 2.14.1. It allows remote code execution and information disclosure if exploited.

CVE-2021-45046 - affects versions 2.0-beta9 to 2.15.0, excluding 2.12.2 and was originally reported as a Denial of Service when organisations are running a vulnerable non-standard configuration. Later research found that the same vulnerable configuration allowed a bypass of the mitigations to Log4shell, allowing remote code execution and information disclosure.

CVE-2021-45105 - affects Log4j versions from 2.0-beta9 to 2.16.0 – A similar denial of service issue to CVE-2021-45046 when organisations are running a vulnerable non-standard configuration.

CVE-2021-44832 - Remote code execution vulnerability affecting Log4j2 versions 2.0-beta7 through 2.17.0, excluding security fixes for 2.3.2 and 2.12.4. (Fixed by upgrading to 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

https://logging.apache.org/log4j/2.x/security.html

Updates

Madsonic does not use the log4j-core 2.x implementation, only the non-vulnerable 1.x API implementation was used.
However, as a precaution, all dependent libraries in Madsonic 5/6/7 have been updated.

Info

Madsonic updates will be released after testing on 01/24/2022

https://www.madsonic.org/pages/download.jsp

best regards,
The Madsonic Team
carltonh
Posts: 11
Joined: 09 Mar 2014, 06:24
Has thanked: 0
Been thanked: 3 times

Re: Madsonic Newsletter 01/2022

Unread post by carltonh »

Is Madsonic currently down? I can't get to the main website. My server is no longer showing or allowing my Madsonic Premium functions to work, not recognizing my license key, nor is the personal server address working.
carltonh
Posts: 11
Joined: 09 Mar 2014, 06:24
Has thanked: 0
Been thanked: 3 times

Re: Madsonic Newsletter 01/2022

Unread post by carltonh »

What ever problem existed, everything is working again. Not sure what was the cause, but 99% sure not on my side. The Madsonic Service Status page showed everything green except "Homebase Service" both when the Premium license key was not recognized, and then when it was recognized again and back to normal for my usage.

Anyway, thinks for keeping Madsonic alive. I don't need new features, if security fixes is all that gets updated I'm happy for another decade.
Post Reply