Log4Shell: no vulnerability for Irion software
Turin, 29 December 2021
In early December 2021, a software vulnerability in Apache Log4j 2, a popular Java library for registering error messages in applications, became known. The vulnerability, published as CVE-2021-44228, allows a remote attacker to take control of a device over the internet if the software on this device uses some particular versions of Log4j 2. Several vulnerabilities were also found in some of the fixes distributed in the following days to address this issue.
Irion software features
The Irion EDM® platform is built with Microsoft .NET technology and does not use, directly or indirectly, Apache Log4 2 or other Java components. Therefore, it does not present any security problem similar to the vulnerability in question.
The RTG Application Backbone modules and custom solutions created for our clients on the Irion EDM® platform are intrinsically excluded from this vulnerability for the same reason. Therefore, no software distributed by Irion presents issues related to the Log4j vulnerability.
Triple security of IT infrastructure
Irion manages the impact of possible attacks through the aforementioned vulnerability to the corporateintranet infrastructure and all cloud infrastructure managed on behalf of the clients on three levels.
- First level: all our networks are firewall-protected, allowing external access only to a limited number of specific services
- Second level: we have checked all the applications and systems configured for possible external access and verified that none of these uses the Log4j software
- Third level: we have identified the devices which, despite having no external access, could, in principle, be vulnerable to a possible attack coming from within the network Even in these sporadic cases, none of the identified systems .
In any case, Irion’s IT unit continues to monitor with great attention how the situation evolves.
Contact details for the press: Andrea Paternostro +39 339 5990419 [email protected]