Security Update: Log4J Vulnerability

Written By Tami Sutcliffe (Super Administrator)

Updated at February 20th, 2024

12/22/2021 Update  

Dec 22 Update: BRC Appliance versions >= 10.4 hotfix

We've begun rolling out a hotfix for the Log4J exploit to fully protect against current known vulnerabilities in <2.16.0. If you have auto-update enabled, you will receive this patch in the next two days. If you do not have auto-updates enabled, you will need to manually apply this update to be fully protected. It is strongly advised that ALL partners apply this hot fix at the earliest possible date as this is a significant security issue. While the patch that we currently have enabled protects partners against currently known exploits the hotfix is necessary to ensure you are protected against unknown attacks in older versions of the package


12/20/2021 Update

Dec 20 Update: BRC Appliance versions >= 10.4 hotfix

Security researchers have unfortunately discovered a third vulnerability for Log4J over the weekend and have created CVE-2021-45105. While current patches and mitigations currently protect all Axcient partners, we will be holding off on the planned hotfix scheduled to begin deployment on Monday December 19. We will be testing Log4J 2.17.0, the currently recommended safe package and will update partners here with a new planned release date.  


12/15/2021 Update

Dec 15 Update: BRC Appliance versions >= 10.4 hotfix

We continue to develop a hotfix for BRC Appliance versions >= 10.4 that will include the new version of Log4J, and it will begin deployment the week of, December 20th. As a matter of good practice, we recommend this security update be applied as soon as it is available. As further protection, please ensure appliances are not publicly available to the internet. We will update partners when the hotfix begins to be deployed. 


12/14/2021 Update

Dec 14th Update 2: CVE-2021-45046 and BRC appliance versions >= 10.4 hotfix

CVE-2021-45046 was disclosed today with a further vulnerability in Log4j 2.15. Based on our analysis, the update we proactively deployed previously already mitigates this newly disclosed vulnerability as well. Because all systems already have an update that mitigates this newly disclosed vulnerability, rather than making the previously announced hotfix available (which would have included the now vulnerable Log4j 2.15), the hotfix is being updated to include Log4j 2.16 instead. This updated hotfix will be made available shortly.

As a reminder of best practices, a backup appliance should always be located on the LAN behind a firewall and NOT made accessible to the public internet directly. Backup appliances only require outbound internet connectivity and fully function behind a NAT without any inbound port mapping. If you need assistance or are having issues with this configuration, please reach out to support for assistance.


Dec 14 Update: BRC Appliance versions >= 10.4 hotfix

We continue to develop a hotfix for BRC Appliance versions >= 10.4 that will include the new version of Log4J. As a matter of good practice, we recommend this security update be applied as soon as it is available. As further protection, please ensure appliances are not publicly available to the internet. We will update partners when the hotfix begins to be deployed. 

---------------------------------------------------------------------------------------------------------------------------

12/13/2021

As you know, the world became aware of CVE-2021-44228, a critical vulnerability in a logging framework called Log4J, on Friday, December 10th. 

When disclosed, Axcient teams immediately began assessing the impact to our solutions. While we continue our research, we wanted to update you on how to make decisions regarding your incident response plan. Axcient has not found any material vulnerability in our products from this issue that would impact partners or their data, apart from one product, for which we have already deployed an update (see BRC appliance version details below). No Axcient systems have been compromised and partner data continues to be backed up and protected safely and securely.

  • Axcient x360 Platform products (Recover, Sync and Cloud) are not vulnerable to CVE-2021-44228. We've validated this through auditing of user inputs, tools, and reviewing versions of our libraries to confirm this is the case. Partners on the x360 Platform are fully protected. 
  • For Axcient BRC, so far our assessment shows that BRC Virtual Office and the BRC Cloud do not use Log4J and are not vulnerable. BRC appliances versions >= 10.4 may be affected. We have proactively deployed an update to all online BRC appliances and disabled the Log4j functionality that allows this vulnerability. While our assessment shows that this fully mitigates the vulnerability and that it cannot be exploited with this update applied, we are also preparing a hotfix that will include the new version of Log4J. 

Additionally, the following products do not use Log4J and are not vulnerable: Backup for Files, BDR for ShadowProtect, BDR for AppAssure, BDR for Veeam.

The majority of Axcient internal and cloud operations have already been validated as not vulnerable or have been patched over the weekend. We continue to audit our internal systems to ensure 100% protection against this issue as part of our incident response plan, and expect that review to be complete by December 14, 2021. 

Axcient treats all security issues as critical. We have established SLAs for mitigating against any issue to protect our partners and Cure Data Loss. While there are various resources for information on this issue, we recommend staying up to date on the CompTIA ISAO forum here

We will continue to share security updates as new information is available.



 SUPPORT | 720-204-4500 | 800-352-0248

1025