Möbius and the Apache Log4j2 Vulnerability

Introduction: This page provides the latest updates on the potential impact of the open-source Apache “Log4j2” vulnerability on DigitalEd products and services based on the findings of our ongoing investigation. We are actively following the vulnerabilities in the Apache “Log4j2″ utility (CVE-2021-44228 and CVE-2021-45046).

Background: The Apache Log4j2 utility is a commonly used open-source library for application logging. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j2 version 2.15 or below to be compromised and allow an attacker to execute arbitrary code.

Updates

January 27, 2022

Product Name: Möbius 2022.0
Status: Updated; no action needed.
Additional Information: Möbius has been updated to use log4j 2.17 and version 2022.0 will be released in early Feb 2022 and upgrades will commence immediately.

December 22, 2021

Product Name: Möbius 2021.2, 2020.2.3 and 2019.2
Status: Investigated; no action needed.
Additional Information: TrustNCS has completed scans of Möbius 2021.2, 2020.2.3 and 2019.2 and has not found any vulnerabilities.

December 21, 2021

Product Name: Möbius 2021.2
Status: Investigation Completed.
Additional Information: DigitalEd has contracted the company TrustNCS a leading cybersecurity solutions provider, to perform external security scans to validate our solution. We will know the results of these tests on December 22, 2021. In addition, an investigation has started into creating a patch to our Möbius 2021.2 to upgrade Log4j to 2.17

Tuesday, Dec 14, 2021

Product Name: Möbius 2020.1.1 and older
Status: No Action Needed
Additional Information: Older versions of Möbius use Log4j 1.x and are not affected by the CVE-2021-44228

Tuesday, Dec 14, 2021

Product Name: Möbius Services, Pay Portal, Web Store, LTI Service, SAML Service, LDAP Service
Status: No Action is Needed
Additional Information: These services do not use Log4j2 and are not impacted by the identified CVE.

Monday, Dec 13, 2021

Product Name: Möbius 2021.2, 2021.1, 2021.0, 2020.2.3
Status: Mitigated; no further action needed.
Additional Information: Möbius uses Log4j 2.13.3 and has limited exposure to the Log4j2 vulnerability. DigitalEd immediately rolled out the changes to include the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable. We were able to validate that after the mitigation, our tests could no longer recreate CVE-2021-44228.