Since 360Works is about 100% Java, I would think that some or all of the products are affected by the Log4j monster-critical vulnerability that came out today, being tracked as CVE-2021-44228, and detailed here by WIRED.

Will you be publishing an official notice on it, if/how it does or doesn't affects 360Works products, and if so, how to mitigate the vulnerability until it gets patched?

Thanks!

 

Edited December 11, 20214 yr by JohnDCCIU

Hi JohnDCCIU,

The vulnerability in question required java to be connected to an LDAP server as well as using a compromised version of Log4J, which is not possible with any of our plugins or web apps. Additionally, we did identify that only the Plastic plugin was using a compromised version of Log4J, and we updated this to remove the vulnerability and published a new version to our store.

Please let us know if you have any questions!

Hi, are older versions of your products also safe from the log4j vulnerability? I have a FM server 16 using an old version 1.82 of RemoteScripter.

FYI, Claris has significantly expanded their response at https://support.claris.com/s/answerview?anum=000035819&language=en_US and provided more information on older versions.

If you want a more in-depth analysis, I've been collating all the community findings I'm aware of, along with our research, in a blog post on fixing the Log4j exploit on FileMaker Server.

FileMaker Server 16 is not vulnerable to these two newest Log4j (2.x) exploits, so you probably won't be compromised by the majority of botnet activity going on right now.  However, FMS 16 does use an older Log4j (v1.2.15) that is no longer maintained and has active Remote Code Execution vulnerabilities of its own. You should *definitely* check out the mitigation steps in our blog post and prioritize upgrading to FileMaker Server 19.