A new zero-day vulnerability in Log4j was reported on December 9th 2021. The vulnerability is also known and tracked by now under CVE-2021-44228. Here, we would like to update you on why Hoppes' Ship to Shore solution is not affected by that.
Does the Log4j2.x vulnerability affect any parts of the Ship to Shore solution?
In a nutshell, no. The ship to shore data transmission solution relies on .NET Core. That is why this stack is not affected by CVE-2021-44228.
Shore-Side Cloud Infrastructure
The shore-side infrastructure is hosted on AWS. None of the AWS services that have been identified as vulnerable are used in the solution.
For more details, please refer to the related AWS security bulletin
Ship-Born Data Logging Framework HOWAF
The ship-side data logging framework includes one Java-based component, the report service, required to generate reports from timeseries data. At the time of writing, this service relies on Log4j version 1.2.17. Following the statement of the Apache Software Foundation, this version is not susceptible to the remote code execution (RCE) vulnerability caused by CVE-2021-44228.
However, while investigating this issue we became aware of CVE-2019-17571 and have taken the opportunity to reduce our risk exposure. This fix will be rolled out with the next update of the HOWAF framework.
Thank you for continuing to entrust us with your data.
About the Authors
When not coding or parenting he likes to bury himself in writing poetry and comics.
Dr. Klaus Hueck is Team Lead of the Data Services team at Hoppe Marine's R&D department. He has been responsible for leading the development of Hoppe's cloud infrastructure and the Ship-to-Shore data transmission technology. With a strong background in software development and physics he enjoys breaking down complex tasks into workable packages to build tailor made solutions focused on our customers needs.
In his free time, he is a passionate sailor and beekeeper.