Nexthink and Log4j
Question
Is Nexthink Experience vulnerable to the recently disclosed security issue affecting Log4j?
Answer
Following a thorough security assessment of Nexthink Experience, a third-party library with transient dependency on Log4j was found in our cloud platform.
Although not exploitable since the library was not used, the choice was made to preventively patch the third-party library.
Please note that Nexthink Experience client-side applications such as Collector and Finder are not written in Java and are, therefore, not impacted by this vulnerability.
Nexthink also performed a vulnerability assessment with our sub-pressors, to ensure their services are protected against the vulnerability. We can therefore confirm that our cloud platform sub-processors are either not vulnerable or have been patched.
Mitigating actions
Preventively, Nexthink has rolled out a maintenance release to patch the third-party library. All backend components were successfully patched on December 16.
Executive Summary
A remote code execution vulnerability was publicly disclosed on December 9, 2021. Log4j open-source library is one of the most popular Java logging frameworks. The vulnerability affects all Java applications that use log4j with versions from 2.0 up to 2.14.1.
Vulnerability information
Please find additional information about the CVE:
Affected software
Nexthink third-party library
Disclaimer
The use of the software is subject to the terms and conditions of its applicable license agreement and then effective documentation. This information is provided “as-is” without a warranty of any kind.
Revision
First release
Last updated