Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

    Notes, Domino, Verse, and Traveler marked safe from Log4Shell Apache Log4j Zero-Day Exploit

    Daniel Nashed  13 December 2021 14:41:16

    I already scanned over the weekend on all of my environments.

    Now here is the official HCL statement:


    https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095516

    For add-on applications check with your business partner/vendor and check for your own applications on your own (see previous post).


    -- Daniel

    Comments

    1Todd Herman  13.12.2021 19:39:45  Notes, Domino, Verse, and Traveler marked safe from Log4Shell Apache Log4j Zero-Day Exploit

    Daniel - in the HCL statement you linked, the statement says "Domino Volt" which is a separate product from "Domino" server. Are you aware of any HCL statement specifically "clearing" the Domino server?

    Also, when HCL makes a statement like "Notes/Designer" client, are they referring to ONLY the MOST CURRENT product version (12.x), or are they ALSO referring to older versions (say, 9.x) that are still in use?

    Thanks,

    Todd

    2Daniel Nashed  14.12.2021 8:49:50  Notes, Domino, Verse, and Traveler marked safe from Log4Shell Apache Log4j Zero-Day Exploit

    @Todd, the testing wasn't completed and the list was still updated.

    As long there are no versions listed, I would see this as a statement for all supported versions.

    The issue occurs with later versions of Log4j. If the product uses an older 1.2 version (if at all) in the latest version, the version in the older HCL product version should not be newer...

    3Heinrich Nellen  17.12.2021 14:09:22  Notes, Domino, Verse, and Traveler marked safe from Log4Shell Apache Log4j Zero-Day Exploit

    Hello Daniel,

    Domino and Notes are marked safe. The Domino Server (and Notes) makes use of the Apache Tika Server for Fulltext-Indexing. Tika Server itself has references to Log4j ( as far as I have seen looking into the tika-server.jar). Domino 11 uses Tika Server 1.18, Domino 12 uses Tika Server 1.24. Up to now I don't know which version of log4j ist used.

    Are you sure HCL looked into this?

    Thanks

    Heinrich

    4Daniel Nashed  17.12.2021 20:50:51  Notes, Domino, Verse, and Traveler marked safe from Log4Shell Apache Log4j Zero-Day Exploit

    @Heinrich Nellen,

    Yes HCL is aware of Tika and the old log4j version used.

    The version has some security reports. But for the functionality used it does not have an relevance.

    You can be sure that HCL looked into it very seriously and they are well aware of Tika.

    I have looked into my servers last weekend and my scans also found it in Tika.

    But if you found it, this wasn't probably by hand, so you probably already know the CVS reported for version 1.x and that they have a lower rating.

    It would be good to not discuss something like this in public and instead ask HCL directly if you have concerns. Or e-mail me directly.

    Not everyone understands all the background and this isn't helping in the current situation where many people are getting nervous.

    From what I have seen, HCL did a great job looking into it! And also responding to it.

    Thanks

    Links

      Archives


      • [IBM Lotus Domino]
      • [Domino on Linux]
      • [Nash!Com]
      • [Daniel Nashed]