Versions Compared

Old Version 5

changes.mady.by.user Adam Darwin

Saved on

compared with

New Version 6

changes.mady.by.user Adam Darwin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

According to this blog post, JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.

Actions taken by the DualShield team

To ensure that DualShield is absolutely free from this vulnerability, an update of DualShield was produced and released today, DualShield 6.4.20.1212.

In this update, we have made the following changes:

1. Log4j is completely removed from the SSO server (the frontend) in the DualShield platform

2. Log4j 2 is completely removed from the authentication server (the backend) in the DualShield platform. Log4j 1.2.17 is kept as it can't be easily upgraded yet, but it is not susceptible to this vulnerability.

3. Log4j 2 in the certificate server (frontend) has been upgraded to the latest log4j 2.15 which has fixed this vulnerability.