Has anyone seen any response from INFOR with regard to the Log4J vulnerability that was issued on Friday (Dec10)?
Mike, i received auto email today -
Informational Update on Log4j vulnerability
Infor has completed its Log4j vulnerability investigation on all Infor cloud applications, and vulnerability mitigation has been completed through vendor-published recommendations including code updates and/or WAF (Web Application Firewall) rules where needed. Ongoing mitigation efforts and monitoring of traffic continue.
Do not reply to this message, it was sent by an automated delivery system. To unsubscribe from these messages, please click here.
Pl. see KB 2228933 if you haven't already.
Hi Mike, I received a call from support this morning. We are on prem. I was told that they believe Lawson is using it and that their developers were looking at the code to see if what Lawson is using is affected by the vulnerability. Support said they plan to send out a critical notification once they have an update.
Love #sarcam the Infor Support Site search. Searching on the number you provided returns no results.
Anette - that notification is for CloudSuite. I am going to reach out to Infor, as we are single tenant hosted.
KB 2229005 CVE-2021-44228 Log4j vulnerability 13 Dec 2021 12:26
I contacted BSI inquiring about TaxFactory 11, here is the reply I received:
This is assigned ticket # 191874BSI is aware of this Apache Vulnerability and has remediated the issue. Please be on the lookout, today, for a customer notice related to this
Anyone heard if the log4j on MSCM is affected? We are on 1.2.15 of log4j.
the impacted versions are in between version 2.0 >= and <= 2.14.1
As Sreedevi notes, only versions 2.x (< 2.15) are vulnerable to the "log4shell" vulnerability. So 1.2.15 is not vulnerable to CVE-2021-44228. That's the good news.
The bad news is that log4j 1.2.x reached end of life over six years ago and has not received any security updates since (e.g., for CVE-2019-17571).
Hello All,
Some of you or all of you may already be aware that the following critical notification was posted Monday evening (Central time), 12/13/2021:
https://support.infor.com/espublic/EN/AnswerLinkDotNet/sohoxi/Announcements/XiShowAnnouncements.aspx?id=4040
Within the notification you are directed to the following Master KB ---https://support.infor.com/espublic/EN/AnswerLinkDotNet/SoHo/solutions/SoHoViewSolutionC.aspx?SolutionID=2229037
You should use the ‘Sign up’ feature in the KB header to receive notifications when new information and patches (for on-premises customers) are available for your product line and versions.
Lori,
Any word on when a ctp might be available for KB 2229005?
tia
BTW - Happy Holidays
Hi Mike, All updates for Lawson will come here... please sign up for this one...https://support.infor.com/espublic/EN/AnswerLinkDotNet/SoHo/Solutions/SoHoViewSolutionC.aspx?SolutionID=2229005Original Critical notification:
