Latest post Tue, Jan 11 2022 9:58 AM by Jeroen van Eekeres. 8 replies.
Page 1 of 1 (9 items)
Sort Posts: Previous Next
  • Fri, Dec 10 2021 10:59 PM

    • Marianna
    • Top 10 Contributor
    • Joined on Thu, Oct 13 2005
    • Avid
    • Posts 11,581
    • Points 255,755
    • Avid Beta Moderators
      Avid Customer Advocate
      Avid Developer Moderator
      BlogAuthor
      SystemAdministrator

    Idea [I] Important Notice: Recently reported Apache Log4j RCE vulnerability.

    12/10/2021 - Important Notice

    Avid is aware of the recently reported Apache Log4j RCE vulnerability.

    CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

    We are evaluating how it impacts our systems.

    Please monitor this channel for further updates.

     

    Thank you

    Marianna

    Director of CSM | Customer Advocate [view my complete system specs]
  • Thu, Dec 16 2021 11:13 PM In reply to

    • Eeka
    • Not Ranked
    • Joined on Thu, Dec 16 2021
    • Posts 1
    • Points 15

    Re: Important Notice: Recently reported Apache Log4j RCE vulnerability.

    Any further update on these critical vulnerabilites across SDA, Nexis or Media Composer components?

  • Fri, Dec 17 2021 1:45 PM In reply to

    • NYnutz
    • Top 500 Contributor
    • Joined on Wed, Nov 25 2009
    • New York City
    • Posts 432
    • Points 5,170

    Re: Important Notice: Recently reported Apache Log4j RCE vulnerability.

    Eeka:

    Any further update on these critical vulnerabilites across SDA, Nexis or Media Composer components?


    PDF posted on this KB Page:
    https://avid.secure.force.com/pkb/articles/en_US/troubleshooting/en239659

    https://resources.avid.com/SupportFiles/attach/Avid_Technology_Log4j_Assessment.pdf

    Dave

    Post Production Infrastructure Engineer

    "A very big network"

     

  • Thu, Jan 6 2022 2:04 PM In reply to

    • SwissGarry
    • Not Ranked
    • Joined on Thu, Mar 15 2018
    • Posts 4
    • Points 50

    Re: Important Notice: Recently reported Apache Log4j RCE vulnerability.

    Hi,

     

    Are there versions of Media Compser, Pro Tools, and Nexis that have the updated version of Log4j, the 2.17.1 version?

    We have IT asking us to update all avid workstations to remove the 1.2.9 version, and the above titles are the only Avid products installed.

     

    Many thanks

    Garreth

    Filed under:
  • Thu, Jan 6 2022 2:10 PM In reply to

    • knejmann
    • Top 500 Contributor
    • Joined on Fri, Nov 4 2005
    • Århus, Denmark
    • Posts 280
    • Points 3,150

    Re: Important Notice: Recently reported Apache Log4j RCE vulnerability.

    According to the pdf Dave posted a link to none of the three products you mention are affected.

    Media Composer 2020.12.6 - Windows 10 - Dell 8520 - Blackmagic Decklink Studio 4K - Interplay and NEXIS storage - Avid Artist Color. [view my complete system specs]

    Kåre Nejmann

    Danish Broadcasting Corporation - DR
    Aarhus, Denmark 

  • Thu, Jan 6 2022 2:56 PM In reply to

    • SwissGarry
    • Not Ranked
    • Joined on Thu, Mar 15 2018
    • Posts 4
    • Points 50

    Re: Important Notice: Recently reported Apache Log4j RCE vulnerability.

    Indeed, this is my understanding too, and have been carrying on under that assumption.

    However our IT department want us to update this file or the software that the file comes with to 2.17.1, however i'm not sure if the newer versions of our titles have that or not, or how to find that out. We are on 21.5 and above for most.

    Can anyone from Avid clarify if and which versions of the titles have this update?

     

    Garreth

     

  • Thu, Jan 6 2022 3:50 PM In reply to

    Re: Important Notice: Recently reported Apache Log4j RCE vulnerability.

    If Avid state those products do n ot use that file then you can't update it. You can't update soemthing that doiesbn't exist.

    I suspect IT are assuming that updating to the latest Avid Products will ensure this issue is resolved but thats a false assumption.

    I'd just pass IT the link and assure them as the link details none of your installed products are affected so no requirement to action anything.

    HP Z840 3.1GHZ 20cores 128GB RAM M4000 GPU 1TB NVMe drive HP Z book 17 G2 2.7GHZ Quad core 32GB RAM Nvidia K3100M 1TB SSD drive ACI Moderator. I'm... [view my complete system specs]

     

    Broadcast & Post Production Consultant / Trainer  Avid Certified Instructor VET

     

    QC/QAR Training - Understanding Digital Media - Advanced Files * Compression - Avid Ingest - PSE fixing courses and more

    All bespoke and delivered onsite at yours. Or delivered via hosted Zoom session.

     

    T 07581 201248 | E pat@vet-training.co.uk | www.vet-training.co.uk|

     

  • Thu, Jan 6 2022 4:01 PM In reply to

    • SwissGarry
    • Not Ranked
    • Joined on Thu, Mar 15 2018
    • Posts 4
    • Points 50

    Re: Important Notice: Recently reported Apache Log4j RCE vulnerability.

    Hi Pat,

    Thanks for your reply. I have tried that approach, believe me, i'm convinced the issue may not exist as stated in Avids own documentation.

    However, unfortunately the file is there;

    C:\Program Files\Avid\Editor Transcode\Dynamic Media Files\webapps\DMFService.war

    Having reinstalled MC I can see it comes within the installer package, I also attempted to delete the file and MC will no longer run. As IT pick this file up in their scans, they deem it an issue, I'm stuck between IT and a hard place. I was hoping Avid could clear up if either a; the file in this instance is not a threat, or b; there is a version of MC with an updated file to apease such IT department's as mine.

    Basically they want it updated or gone :(

  • Tue, Jan 11 2022 9:58 AM In reply to

    Re: Important Notice: Recently reported Apache Log4j RCE vulnerability.

    Garry,

    SwissGarry:
    I'm stuck between IT and a hard place.

    Just be aware that 'we' all are. And keep in mind that if IT wants to enforce any security policy, they themselves become the biggest threat for the organization you work for, preventing you to produce the products or services they also get paid for.

    Managing this is a shared responsibility and we are at the mercy of Avid (or any software manufacturer for that matter) producing updates also solving these security issues we pay them for in support contracts.

    In the meantime I put a sign on my wall: 'Keep calm, Another Version In Development'

     

    From the old Apple Quadro 950 to HP Z8xx. My current own systems: 1x Z420 E5 1650 32GB memory quadro K2200, 1x XW8600, 2x 3.0Ghz Quadcore, 24GB memory... [view my complete system specs]

    Jeroen van Eekeres 

    Technical director, Broadcast support engineer, Avid ACSR.

     

    Always have a backup of your projects....Always!!!! Yes Always!!!!

    A.V.I.D....... Another Version In Development

    www.mediaoffline.com

     

     

     

Page 1 of 1 (9 items)

© Copyright 2011 Avid Technology, Inc.  Terms of Use |  Privacy Policy |  Site Map |  Find a Reseller