Attackers can execute arbitrary code via a critical zero-day vulnerability called Log4Shell in the widely used Java logging library Log4j. The German Federal Office for Information Security (BSI) rates the risk posed by the vulnerability on the so-called CVSS scale at 10, the highest possible value.
Therefore, we would like to provide you with the necessary information about affected products below.
Translated with www.DeepL.com/Translator (free version)
The following products are currently certainly affected:
Poly – https://support.polycom.com/content/support/security-center.html (PLYGN21-08)
- DMA Edge
- DMA Core
- and maybe RPAD
Cisco – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- CUCM ( Version11.5(1)SU7 – 11.5(1)SU10 )
- CUPS ( Version 11.5(1)SU7 – 11.5(1)SU10 )
- Unity Connection ( Version 11.5(1)SU7 – 11.5(1)SU10 )
- Contact Center
- SIP Proxy
According to current knowledge, the following products are not affected by the vulnerability:
Pexip – https://www.pexip.com/blog1.0/pexip-statement-on-log4j-vulnerability
Infinity Plattform
Logitech
MTR System
Crestron
MTR System
Cisco
- VCS / Expressway
- CMS
- Video endpoints
- TMS
Poly – https://support.polycom.com/content/support/security-center.html (PLYGN21-08)
Video endpoints of X- and G7500 series
As of now, no manufacturer offers patched software or workarounds. It must be assumed that devices that can be reached from the Internet have already been compromised.
We recommend that devices directly accessible from the Internet are isolated by firewalls or shut down until patches are available. Before doing so, you should create a backup of the configuration.
If you need our assistance in assessing the situation or have any queries, please feel free to contact us at support@mvc.de.
Please note that in this article we will only discuss the products we sell and operate and not the full range of products offered by the manufacturers.