The Apache Log4j security issue was first noted in December 2021. This article looks at Dataton products with regard to the issue and advises on good network practice.
The security flaw in Java logging library Apache Log4j (tracked as CVE-2021-44228) allows unauthenticated remote code execution and server access. Below is a summary of the situation with regard to Dataton products.
No version of WATCHOUT uses the Apache Log4j logging library. This goes for the production software, the display software and the dynamic image server.
Bearing in mind the above, Dataton WATCHPAX media servers do not have any heightened risk of being hacked due to the Log4j security issue.
WATCHMAX media servers in their original state as shipped from Dataton (ie, units that have not been re-configured or had any additional software installed) should not be affected by this security threat.
For custom-built servers running WATCHOUT, please check with the manufacturer of the server to see if any additional software installed on these servers may contain the Apache Log4j logging library. If this is the case, contact the server manufacturer to resolve the issue.
WATCHNET is Java-based and does have the Apache Log4j logging library included in the code library. The version of the Log4j module is an early iteration, version Log4j-1-2-17, and it is understood that Log4j 2.0 to 2.14.1 are the versions affected by this security threat. Some sources mention that there is an elevated risk, albeit low, that Log4j versions pre-2.0 can be affected. However, this does not apply to WATCHNET as the source code is encrypted.
Good practices for your system
Dataton strongly recommends that any system using WATCHNET or WATCHOUT should be used on an isolated network environment. A WATCHOUT system should not be accessible from the Internet, or other external network.
If you need to access the Internet from your system, use a separate firewall device to protect your complete system from security attacks.