December 15th, 2021
SunPlus Department General Statement on the ‘Log4j2’ Security Vulnerability: A high-level severity vulnerability (CVE-2021-4428, CVSSv3 10.0) impacting multiple versions of the Apache Log4j2 utility was disclosed on December 9, 2021. This vulnerability affects Apache Log4j2 versions 2.0 through 2.14.1. The vulnerability allows for unauthenticated remote code execution. Log4j2 is an open-source Java logging library developed by the Apache Foundation and is widely used in many software applications and is present in many Internet services. These include enterprise applications as well as numerous cloud services.
Our SunPlus Team is aware of the recently announced vulnerability with Log4j2, and we are actively monitoring our systems to make sure none of them is compromised and, at the same time, trying to find ways to mitigate the risk. Since yesterday, our team has been deploying updates and patches in all our systems in SunPlus Cloud, to mitigate the issue within any product affected.
SunPlus Cloud Users: No further action is required.
Users Running Local Systems: We strongly recommend that all SunPlus users running systems locally immediately install the latest Patch Set from Infor for version 63 or 64, along with the Emergency patch for the newly discovered vulnerability. SunPlus Division Leaders should work with local users at Unions, Conferences, and other organizations right away, so the vulnerability can be fixed before it is exploited.
Infor has clarified that previous versions of Infor SunSystems like 54, 61, and 62 are not affected by this Java/Apache vulnerability.
Link for the latest Infor Patch Set 48:
Emergency Patch: https://drive.sunplussda.org/index.php/s/Tb2wfoKEteFBYtE
Please contact our support team if you need assistance installing the patch sets.
Before installing patchsets:
- Please read the Patch Set documentation carefully
- Make sure you have a healthy full backup of all Data Bases
Thank you for your continued patience and support as we focus on our investigation and mitigation actions.