Log4j Vulnerability – Frequently Asked Questions

Log4Shell Vulnerability

1. What is it?
Log4j 2 is open-source software developed by the Apache Foundation and used in many software systems including telephony products from many vendors. It is hard to know whether Log4j is being used in any given software system because it is often bundled as part of other software. A bug was found in Log4j 2 on Dec 10, 2021. This bug can be exploited to allow a remote attacker to take control of a device on the internet, or by an internal hacker, if the device is running certain versions of Log4j 2. The exploit of the vulnerability has been given the name Log4Shell.

2. Is this a serious issue?
Yes, if your system uses an affected version of Log4j 2 and can be accessed remotely then it can be compromised. Apache gave the vulnerability a score of 10 out of 10, the highest-level severity score, because of its potential for widespread exploitation and the ease with which malicious attackers can exploit it.

3. Can it be fixed?
Apache have released a series of patches to fix the issue. Third party companies are incorporating these patches into updates for their products. To fix the issue on affected systems requires them to be patched with these vendor updates.

4. Is my system impacted?
This depends on whether your system is running a vulnerable version of Log 4J 2. Older versions are not impacted. Your system may not use Log4j 2 at all. A high-level guide per vendor is provided below.

Vendor Status Updates
Alcatel Lucent https://www.al-enterprise.com/en/-/media/assets/internet/documents/n-to-s/sa-c0068-ed08-apache-log4j-en.pdf
Avaya https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609 
Liquid Voice Liquid Voice have stated to DigitalWell that following a detailed investigation none of their products are vulnerable as they do not use Log4j.
NEC No NEC products supplied by DigitalWell are affected by the Log4j 2 vulnerability
NICE Requires login to NICE Support: https://niceprod.service-now.com/csm?id=log4j_security_vulnerability 
Nortel Nortel telephony systems are End of Life/End of Support and any vulnerabilities cannot be patched by DigitalWell. DigitalWell recommends replacing these systems with vendor supported products from DigitalWell.
Toshiba Toshiba telephony systems are End of Life/End of Support and any vulnerabilities cannot be patched by DigitalWell. DigitalWell recommends replacing these systems with vendor supported products from DigitalWell.
Verint Requires Login to Verint Community: https://connect.verint.com/b/verint-community-news/posts/verint-product-update-on-the-apache-log4j-vulnerability 

 

Vendor Status
Alcatel Some products are vulnerable, and a customer specific audit is required
Avaya Some products are vulnerable, and a customer specific audit is required
Liquid Voice The vendor has indicated that none of their systems are vulnerable
NEC No NEC product supplied by DigitalWell is currently listed as vulnerable by the vendor
Nectar Some products are vulnerable, and a customer specific audit is required
NICE Some products are vulnerable, and a customer specific audit is required
Nortel Nortel telephony system are end of support and therefore no security updates are available from the vendor
Toshiba Toshiba telephony system are end of support and therefore no security updates are available from the vendor
Unity The Unifi WiFi controller is vulnerable, and a customer specific audit is required
Verint Some products are vulnerable, and a customer specific audit is required
DigitalWell 360 Hosted Telephony No DigitalWell 360/360/Intune hosted telephony systems are impacted by the Log4j 2 vulnerability

 

5. Can I patch my systems myself?
Log4j is an integrated part of the telephony system software and can only be patched using system level patches from the telephony vendor and not by using the patches published by Apache. Patching the system requires specific knowledge and experience of a DigitalWell telephony engineer.

6. Can you tell me if my system is vulnerable?
If you have a current service contract with DigitalWell for the system(s) then we can audit your system and provide a report free of charge. This report will include an estimate of the effort to remediate the issue with the current vendor recommended patches. The cost of implementing these changes is chargeable at the standard rate.

Please note that these costs assume work will be carried out during standard Business hours Monday to Friday. For OOH remediation, the hourly rate will reflect the service window time/day and will be 1.5 to 2 times the business hours cost.

If you do not have a current service contract with DigitalWell for the system(s) then please contact your account manager to discuss options.

7. Will patching be service affecting?
The audit is not service affecting however the installation of the updates may be service affecting, this will be determined as part of the audit. If it is service affecting, then we can schedule the work to be carried out in a service window. The hourly rate will reflect the service window time/day and will be 1.5 to 2 times the business hours cost.

8. What do I do next?
Should you believe you need to audit your system, please email us at info@digitalwell.com. DigitalWell will then contact you to arrange the audit. Audits slots are limited at this current time, so we kindly ask for your patience as you will be contacted as soon as possible to arrange a date. Customers will be scheduled on a first come, first served basis.

Based on the audit report that shows vulnerability, you can then request the system to be patched by responding to the audit ticket with the PO. You will be contacted by the support desk to schedule the patching. Patching slots are limited at the moment, and customers will be scheduled on a first come, first served basis.

9. What if more issues are identified?
DigitalWell continuously monitors the information from Apache and the vendors regarding Log4j. We will inform our clients in the event that vulnerabilities are identified. Any further patching would be chargeable.

10. Are there technical details available on the vulnerability?
Apache are providing updates on the vulnerability here

Vendor Specific status information.

Vendor Status
Alcatel Lucent https://www.al-enterprise.com/en/-/media/assets/internet/documents/n-to-s/sa-c0068-ed08-apache-log4j-en.pdf
Avaya https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609 
Liquid Voice Liquid Voice have stated to DigitalWell that following a detailed investigation none of their products are vulnerable as they do not use Log4j.
NEC No NEC products supplied by DigitalWell are affected by the Log4j 2 vulnerability
NICE Requires login to NICE Support: https://niceprod.service-now.com/csm?id=log4j_security_vulnerability 
Nortel Nortel telephony systems are End of Life/End of Support and any vulnerabilities cannot be patched by DigitalWell. DigitalWell recommends replacing these systems with vendor supported products from DigitalWell.
Toshiba Toshiba telephony systems are End of Life/End of Support and any vulnerabilities cannot be patched by DigitalWell. DigitalWell recommends replacing these systems with vendor supported products from DigitalWell.
Verint Requires Login to Verint Community: https://connect.verint.com/b/verint-community-news/posts/verint-product-update-on-the-apache-log4j-vulnerability