[SA-0006] - log4j vulnerability is a non-issue for Sippy Software

Dear valued Sippy Customer,

A recent exploit listed as CVE-2021-44228 was made public less than a week ago from the date of this topic. This exploit impacts Apache Log4j versions 2.0-beta9 to 2.1.4.1. This security vulnerability has some serious implications because it is easy to trigger and can be used to perform remote code execution in vulnerable systems allowing an attacker to gain full control of them. This utility is also very commonly used in a wide range of applications and of great concern to system administrators.

After review by our security and development teams Sippy Software we have determined our software is not vulnerable to this type of attack. We have reviewed our code and we have verified that the Apache Log4j utility is not used by our software. Therefore this security vulnerability is a non-issue for customers using our software.

Additional information about the log4j vulnerability can be found here for your information:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/

Thank you!

Phillip Ma

Product Manager

Sippy Software

Vulnerability Impact and types

We have done some assessments as to how you may be impacted from this security vulnerability. Please see the table below for more information.

Area of concern Details
Confidentiality Impact No impact. Sippy software does not currently use log4j in our application.
Integrity Impact No impact. Sippy Software does not currently use log4j in our application.
Availability Impact No impact. Sippy Software does not currently use log4j in our application.
Gained Access No impact. Sippy Software does not currently use log4j in our application.
Vulnerability No impact. Sippy Software does not currently use log4j in our application.

Affected Versions and Resolution Plan

We have outlined who and what steps are needed for our customers to address this security concern. The corrective steps will depend on what version of software you are using as well as the signalling package that is currently in use. The table below will outline that for you.

Product Version Signaling Package Resolution Plan
Sippy Softswitch v4.5 and earlier SER No action is needed
Sippy Softswitch v5.0 SER No action is needed
Sippy Softswitch v5.1 SER No action is needed
Sippy Softswitch v5.2 SER No action is needed
Sippy Softswitch v5.2 OpenSIPS No action needed.
Sippy Softswitch 2020 OpenSIPS No action needed.

Next steps

Ensure your support agreements are updated. This security vulnerability affected many systems and ensuring you are on an active support agreeement will help ensure you are prioritized to recieve a patch should a major impacting security issue affects you.

Sincerely,

Phillip Ma

Product Manager

Sippy Software.