A new 0-day vulnerability, officially known as CVE-2021-44228Published in the NIST National Vulnerability Database on Friday 10 December It is available in the Log4j Java library
Log4j is a popular open source logging library created by the Apache Software Foundation. Security vulnerabilities found in Log4j allow hackers to execute remote commands on a target system. Weaknesses are classified as “Critical“By NIST.
How are GFI products affected?
The GFI development team is reviewing our products for use with Log4j.
Its a function Kerio Connect uses Log4j, and a suggested mitigation is outlined below.
If we identify any additional proposed mitigation, we will provide a follow-up contact. Additional information, when available, will also be posted on this page.
Kerio Connect Weakness Mitigation
Log4j is used as part of the chat function in Kerio Connect. We recommend that all Kerio Connect users Temporarily disable chat function In software.
To disable chat on Kerio Connect:
- Go to the configuration.
- Click on Domains.
- Double click on the desired domain.
- Find the “Chat” section in the General tab.
- Select “Enable chat on Kerio Connect client”. Options
- Repeat the steps above for all your email domains
Kerio Connect Security Hotfix
Work has already begun on a security hotfix for Kerio Connect We intend to provide a public release in the next few days.
Once the release is available, we will send a follow-up notification to all Kerio Friend Connect customers in your registered email.
Update 2021. 12. 21.
We are pleased to announce that Kerio Connect 9.3.1p2 is available. This security release addresses vulnerabilities related to Log4j, officially known as CVE-2021-44228.
Exemption letter:
- Upgrading to Apache log4j2 Library 2.16.0 (CVE-2021-44228 fixing vulnerabilities)
Can be downloaded from the new version GFI Upgrade Center.
We recommend that all Kerio Friend Connect customers install version 9.3.1p2 as soon as possible.
Once Kerio Connect 9.3.1p2 is installed, the chat function can be safely reactivated.
Update 2022. 01. 13.
We are pleased to announce the release of Cario Connect 9.4. This introduces several key security enhancements, including the latest version Implementation of Log4j 2.17.0 To address denial of service vulnerabilities, formally known as CVE-2021-45105 Appears in previous versions.
A complete list of release notes is available On our website.
Can be downloaded from the new version GFI Upgrade Center.
We recommend that all Kerio Friend Connect customers install version 9.4 as soon as possible.
Update 2022. 01. 14.
The GFI development team has reviewed our products for use on Log4j. Here are the results of the evaluation:
| Products | The result | How to fix |
| Axinda Network Orchestrator | Not affected | |
| Exinda SD-WAN | Not affected | |
| GFI Archiver | Not affected | |
| GFI Endpoint Security | Not affected | |
| GFI Events Manager | Not affected | |
| GFI Faxmaker | Not affected | |
| GFI Helpdesk | Not affected | |
| GFI Langard | Not affected | |
| GFI Mail Essential | Not affected | |
| Kerio Connect | Affected (version 9.3.1p1 and below) | Upgrade to version 9.4 |
| Careo control | Not affected | |
| Cario operator | Not affected |