In response to the vulnerability tagged as CVE-2021-44228, known as “Log4Shell”, from Artica PFMS we confirm that Pandora FMS does not use this Apache log component and therefore it is not affected.
Discovered by the Alibaba security team, the problem refers to a case of remote execution of unauthenticated code (RCE) in any application that uses this open source utility and affects unpatched versions, from Apache Log4j 2.0-beta9 up to 2.14. 1.
It is true that if we used it, we would be compromised, but fortunately it is a dependency that is not necessary for the operation of our product.
In turn, we must also state that the Elasticsearch component for the log collection feature is potentially affected by CVE-2021-44228.
There is, however, a solution recommended by the Elasticsearch developers:
1) You can upgrade to a JDK later than 8 to achieve at least partial mitigation.
2) Follow the Elasticsearch instructions from the developer and upgrade to Elasticsearch 6.8.21. or 7,16,1 superior.
In case you can’t update your version here we show you an additional method to solve the same problem:
- Disable formatMessageLookup as follows:
- Stop the Elasticsearch service.
- Add -Dlog4j2.formatMsgNoLookups = true to the log4j part of /etc/elasticsearch/jvm.options
- Restart the Elasticsearch service.
In the event of any other eventuality we will keep you informed.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Pandora FMS is a business oriented on-premise monitoring software. It started from scratch in 2004 under open source license GPL2 as a personal project of its CEO and founder, Sancho Lerena; since then it has evolved, becoming a monitoring suite for companies, crossing borders and languages and offering one of the most complete solutions on the market.
Flexibility has been one of the main features of Pandora FMS since its creation; hence its acronym: F for “Flexible”, M for “Monitoring” and S for “Software”.
Pandora FMS goal is to offer an integrated and horizontal monitoring solution for companies, capable of combining information from different sources and departments to offer a single control board of the whole technology of the company, at all levels.
Our main sales office is located in Miami (USA), and our core development team is in our office in Spain. We have partners all around Europe, Asia and South America, and clients in more than 40 countries.