A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j library was disclosed on December 9, 2021.
We will continue to update this page as the collective understanding of the vulnerability evolves.
EcoStruxure IT Gateway and IT Expert
Log4j is a standard logging library used by many Java applications, including the EcoStruxure IT Expert and IT Gateway.
EcoStruxure IT Gateway
A new EcoStruxure IT Gateway version (184.108.40.206) containing log4j version 2.16 is now available. We strongly encourage all customers to upgrade.
EcoStruxure IT Gateway versions 1.5.0 to 1.13.0 contain the affected versions of the library and may be susceptible to remote code execution as described in CVE-2021-44228. It is still unclear if or how an exploit of log4j in the EcoStruxure IT Gateway is possible. Earlier EcoStruxure IT Gateway versions (1.4.3 and earlier) do not contain an impacted version of log4j.
EcoStruxure IT Expert
The cloud-based EcoStruxure IT Expert has already been updated with log4j version 2.15, which includes a fix for CVE-2021-44228. A newer and further hardened version of log4j, version 2.16, has just been released and will be implemented shortly.