Product Security

Apache Log4J Vulnerability - Impact for 911 Secure products

The 911 Secure Products do not contain the vulnerabilities in the Apache Log4j Java Logging Library (also known as JdniLookup class, Log4Shell or LogDump). This was listed in the CVE-2021-44228 alert by the cve.mitre.org group which was disclosed on December 9, 2021.

What happened:

On December 9, 2021, the following vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions prior to 2.15.0 was disclosed:

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

For a description of this vulnerability, see the Fixed in Log4j 2.15.0 section of the Apache Log4j Security Vulnerabilities page.

Are my 911 Secure products affected?

911 Secure is investigating its product line to determine which products may be affected by this vulnerability. Because this is an ongoing investigation, be aware that products currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available. Refer to the table below for information about specific products, status and available remediation or mitigation.

Sentry Products

Product Remediation required

Sentry On Premises

Sentry Sentinel Web Application NO

Sentry Avaya Aura Scout NO

Sentry Avaya Aura Session Manager Scout NO

Sentry Avaya IP Office Scout NO

Sentry Avaya CS1000 Scout NO

Sentry SNMP Listener NO

Sentry File Importer NO

Sentry Cisco CMX Tracker NO

Sentry Cisco MSE Tracker NO

Sentry Aruba Tracker NO

Sentry Tracker Commander NO

Sentry Avaya CS2100 Scout NO

Sentry eZuce openUC Scout NO

Sentry Ribbon Scout NO

Sentry External Tracker NO

Cloud Products

Sentry Cloud NO

Sentry Gatekeeper NO

Sentry Cloud Beacon NO