Nexthink and Log4j

Question

Is Nexthink Experience vulnerable to the recently disclosed security issue affecting Log4j?

Answer

Following a thorough security assessment of Nexthink Experience, a third-party library with transient dependency on Log4j was found in our cloud platform.

Although not exploitable since the library was not used, the choice was made to preventively patch the third-party library.

Please note that Nexthink Experience client-side applications such as Collector and Finder are not written in Java and are, therefore, not impacted by this vulnerability.

Nexthink also performed a vulnerability assessment with our sub-pressors, to ensure their services are protected against the vulnerability. We can therefore confirm that our cloud platform sub-processors are either not vulnerable or have been patched.

Mitigating actions

Preventively, Nexthink has rolled out a maintenance release to patch the third-party library. All backend components were successfully patched on December 16.

Executive Summary

A remote code execution vulnerability was publicly disclosed on December 9, 2021. Log4j open-source library is one of the most popular Java logging frameworks. The vulnerability affects all Java applications that use log4j with versions from 2.0 up to 2.14.1.

Vulnerability information

Please find additional information about the CVE:

Affected software

  • Nexthink third-party library

Disclaimer

The use of the software is subject to the terms and conditions of its applicable license agreement and then effective documentation. This information is provided “as-is” without a warranty of any kind.

Revision

First release

Last updated