...
Actions recommended to DualShield customers
In general, you should always upgrade your DualShield to the latest update as soon as possible. If you are running DualShield 6.4 and cannot upgrade to the latest update 6.4.20.1212 immediately, then you should add "-Dlog4j2.formatMsgNoLookups=true" into the JAVA settings and restart the DualShield service after the change.
...
Click here for instructions on how to change JAVA settings in the DualShield platform.
Actions been taken by the DualShield team
To ensure that DualShield is absolutely free from this vulnerability, we will produce an update of DualShield was produced and released todaywith the latest update of Log4J shortly.
(Note: We did produce an update, DualShield 6.4.20.1212.In this update, we have made the following changes:
1. Log4j is completely removed from the SSO server (the frontend) in the DualShield platform
2. Log4j 2 is completely removed from the authentication server (the backend) in the DualShield platform. Log4j 1.2.17 is kept as it can't be easily upgraded yet, but it is not susceptible to this vulnerability.
3. Log4j 2 in the certificate server (frontend) has been upgraded to the latest log4j 2.15 which has fixed this vulnerability.
Last news on this issue - December 14, 2021DualShield 6.4.20.1212 has been taken offline as it was just discovered that December 12. Unfortunately, it was discovered today that it has an issue with the DualShield IIS Agent. Therefore, it was taken offline. We 'll provide will produce a new update shortlyasap).