Skip to main content

Vulnerabilities in Apache Log4j Library affecting ETAS Products

First released: 2021-12-10

Last updated: 2022-04-26

Status: final

Summary

Critical Vulnerabilities in Apache Log4j Java Logging Library

Starting December 9th 2021, a number of vulnerabilities in the Apache Log4j Java logging library were released.

On December 9th 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed:

  • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
On December 14th 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier and including 2.15.0 was disclosed:
  • CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
On December 18th 2021, another vulnerability in the Apache Log4j Java logging library affecting versions 2.16 and earlier was disclosed:
  • CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
On December 28th 2021, another vulnerability in the Apache Log4j Java logging library affecting versions 2.17 and earlier was disclosed:
  • CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration
Additionally, further vulnerabilities in Apache Log4j 1.2 were documented (e.g. CVE-2021-4104).

ETAS's Response to These Vulnerabilities

All ETAS SaaS offerings have been analyzed and updated where applicable. No systems were compromised. This includes Escrypt KMS.Classic, KMS.Cloud and KMS.FOTA.

Affected Products

SaaS Offerings

All ETAS SaaS offerings have been analyzed and updated where applicable. No systems were compromised. This includes ESCRYPT KMS.Classic, KMS.Cloud and KMS.FOTA.

Vulnerable Products

Product/Service Report Hotfix Fixed Release
Product/Service
Data Acquisition and Processing
Report
Hotfix
Fixed Release
Product/Service
ASCMO
Report
ASCMO Report
Hotfix
Described in Report
Fixed Release
5.9
Product/Service
EATB
Report
EATB KIR
Hotfix
Update to version specified in KIR
Fixed Release
5.3
Product/Service
Development Tools
Report
Hotfix
Fixed Release
Product/Service
COSYM HIL
COSYM SIL
Addon COSYM CAR
Report
COSYM KIR
Hotfix
Described in KIR
Fixed Release
3.1
Product/Service
EHANDBOOK Container-Build
EHANDBOOK Unified Graphics Generator (UGG)
EHANDBOOK Container-Build Toolbox for Simulink
Report
EHANDBOOK KIR
Hotfix
Update to 9.0 or newer
Fixed Release
9.0
Product/Service
Vehicle OS
Report
Hotfix
Fixed Release
Product/Service
ISOLAR-A/B, which includes:
- ISOLAR-A
- ISOLAR-A_ECUEXTR
- ISOLAR-VRTE (formerly ISOLAR-A_ADAPTIVE)
- ISOLAR-B
- ISOLAR-A_LX
- ISOLAR-VRTE_LX (formerly ISOLAR-A_ADAPTIVE)
- ISOLAR-B_LX
Report
ISOLAR KIR
Hotfix
Described in KIR
Fixed Release
9.21
Product/Service
ISOLAR-EVE
Report
ISOLAR-EVE KIR
Hotfix
Hotfix description
Fixed Release

Known Issue Report

Icon document download

Stay informed about any known issues and their solutions, and ensure a smooth experience with our products. Download the KIRs now and stay ahead of any potential challenges.

Download Center

Products Confirmed Not Vulnerable

Update 2022-01-31: All ETAS products not explicitly listed above are confirmed to be not vulnerable in regard to this advisory. This includes:

Data Acquisition and Processing

  • EHOOKS
    • EHOOKS-CAL
    • EHOOKS-BYP
  • INCA
    • INCA-EIP
    • INCA-FLEXRAY
    • INCA-LIN
    • INCA-MCE
    • INCA-MIP
    • INCA-QM-BASIC
    • INCA-TOUCH
    • ODX-LINK
  • INCA-FLOW
  • INCA-RDE
  • INTERCRIO
    • INTECRIO-IP
    • INTECRIO-VP
    • INTECRIO-RP
    • INTECRIO-RLINK
  • MDA
  • MDF-IP
  • XCP-IP

Development Tools

  • ASCET
  • LABCAR-MODEL
  • SCODE

Vehicle OS

  • RTA
    • RTA-CAR
    • RTA-OS
    • RTA-RTE
    • RTA-BSW
    • RTA-FBL
    • RTA-VRTE
    • RTA-LWHVR
    • RTA-SUM
    • MCAL-IFX