SUPPORT COMMUNICATION - SECURITY BULLETIN – MF Connect
Potential Security Impact: remote code execution
Two potential vulnerabilities have been identified in the Apache log4j library used by MF Connect.
The vulnerability could be exploited to allow remote code execution.
SUPPORTED SOFTWARE VERSIONS (ONLY impacted versions are listed):
MF Connect – all versions up to and including 4.4.1
CVSS Version 3.1 Metrics:
|Reference||V3.1 Vector||V3.1 Base Score|
|CVE-2021-44228||CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H||10 - CRITICAL|
|CVE-2021-45046||CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L||3.7 - LOW|
Hotfix 7 for MF Connect 4.4.1 addresses both vulnerabilities by using log4j-core-2.16.0.
Please download from the MF Connect Core marketplace page and carefully read and follow the accompanying install instructions: https://marketplace.microfocus.com/appdelivery/content/micro-focus-connect-core
If you are using an older version of MF Connect, we strongly urge you to upgrade as soon as possible. If this is not possible, please refer to the attached document for mitigation guidance.
For the latest mitigation guidance, please refer to https://logging.apache.org/log4j/2.x/security.html.