A critical vulnerability in Apache Log4j library was announced this weekend (https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/). Log4j is a library used within some of Synectics' platforms to log errors.
The official CVE (Common Vulnerabilities and Exposures) reference for this vulnerability is CVE-2021-44228.
The Synergy Hotfix installer and installation instructions are available for download here.
13th January 21:53 GMT
Several versions of log4j have been released since the critical vulnerability CVE-2021-44228 was announced. The Synergy hotfix released on 21st December includes log4j v2.16.
Version 2.17.1 of log4j will be included in the February Feature pack; this feature pack will not require a separate hotfix to be installed.
21st December 11:00 GMT
The Synergy Hotfix installer is available for download from here, along with the installation instructions.
16th December 15:22 GMT
The list of appliances that should have the Hot Fix applied has been updated below.
15th December 13:10 GMT
CVE-2021-44228 - The version of Log4j used by Synergy reduces the risk of this vulnerability being exploited. The Synergy Hot Fix will mitigate the risk of this vulnerability for customers on versions of Synergy v19.1 and above.
Customers on Synergy v19.1 (June 2019) and above - a Hot Fix installer will be issued in the next few days. Instructions will be provided via the Global Support Portal and will involve installing the hot fix on Clients, Synergy servers, Display Walls, Incident Lockers, POS Servers, Slots Servers, Windows Event Log Servers, EX300.
Customers on Synergy versions prior to v19.1 - we recommend you upgrade to our latest major release 20.2 which includes many important cybersecurity improvements and supports the Log4j Hot Fix. Please contact your sales representative to discuss your options.
We will continue to evaluate the risk on older versions of Synergy for which the Hot Fix is not compatible.
15th December 13:05 GMT
A new vulnerability was reported earlier (CVE-2021-45046) - the version of Log4j used in Synergy is not affected by this vulnerability.
14th December, 17:18 GMT
The way the Log4j component is implemented and structured within the Synergy platform reduces the risk of exploiting the reported vulnerability. To mitigate all risk Synectics will be releasing a Hot Fix. The Hot Fix will update the third-party Log4j component that causes the vulnerability. The version of Log4j required to address the vulnerability is compatible with Synergy v19.1 and above. The Hot Fix will check if your version of Synergy is not compatible. If you are running a version of Synergy 3 prior to v19.1 please contact us to discuss your options.
13th December, 15:20 GMT
We have identified the necessary Synergy updates to the Log4j resources to address this vulnerability, and are working on a Hot Fix. This will affect the following core components within the Synergy suite:
- Synergy server
- Synergy clients
- Display Walls
- Incident Lockers
- POS servers
- Slots servers
- Windows Event Log servers
The vulnerability does not affect joysticks, Synectics IP cameras and HDMI encoders.
The Hot Fix Installer will be released once it has undergone testing and verification to ensure backwards compatibility with older versions of Synergy. We expect to release the Hot Fix towards the end of next week.
Manual application of the Hot Fix may be possible sooner depending on the specific site configuration. We will distribute a Technical Note explaining this process later this week.
We recommend all sites install this Hot Fix when it is available.
Our Workforce Management platform uses third-party components that have dependencies on the Log4j resources affected by this vulnerability. These are deployed within a cluster and are not exposed externally, so the risk is reduced. When the third party components have been updated we will include them in our next Workforce Management release.
13th December, 12:32 GMT
We have upgraded our internal development builds of Synergy to the latest recommended Log4j version and testing is underway.
13th December, 11:50 GMT
We are actively investigating the level of risk from the vulnerability and any required mitigation steps. We will update this page when we have more news to share.