The Log4Shell Vulnerability and Its Effects on Adaptive Recognition Products

In mid-December 2021, experts discovered a severe vulnerability in Apache Log4j, a widely used logging package for the Java programming language. Named Log4Shell, this caused a tidal wave among internet users worldwide—and it even affected two Adaptive Recognition products: ANPR Cloud and Autofill.

Our vigilant experts have already eliminated the issue on December 15, 2021, meaning that both ANPR Cloud and AutoFill are perfectly safe to use. ANPR Cloud users have nothing to do, but an update is a must in the case of AutoFill. Windows users can update the program to version 3.6.5 here; Unix users can do the same by clicking here.

What Is This Vulnerability and How Serious Is It?

Log4j 2 is a logging package for the Java programming language created by Apache, a nonprofit organization developing and managing open-source software. Due to its open-source nature, many companies have used Log4j when creating their programs and solutions in Java, including but not limited to Amazon, Cisco, Google, Microsoft, Oracle, Broadcom, VMWare, Dell, etc. So, it isn’t surprising when Log4Shell was discovered—by Minecraft players!—the whole IT world panicked.

Because Log4Shell, this remote control execution (RCE) vulnerability, is one of the biggest Java cybersecurity issues in the past years. It is such a severe case that on the internationally-accepted CVSS scale measuring vulnerabilities, it reached the maximum score of 10. The reason for that is threefold: Log4Shell is easy to exploit, hard to get rid of, and affects hundreds of millions.

Basically, Log4Shell allows cybercriminals to run any code on a server. All they need to do is get access to a company’s internal network and plant a malicious expression into the code to get full control over the entire network and/or steal users’ data. They can do this without even being in close (physical) proximity to the affected networks/servers.

Was This Vulnerability Fixed?

Since all core versions of Log4j 2 are affected between 2.0 beta 9 to 2.14.1, an urgent patch was a must. However, due to the immense pressure of running against the clock—basically, the hackers—the original patch, version 2.15.0 of Log4j 2 also had a critical vulnerability that was eventually exploited. Apache rushed out version 2.16.0, which is said to have finally eliminated the vulnerability once and for all.

Currently, acting as quickly as possible by downloading the latest version of Log4j 2 (currently 2.17.0) from Apache’s website and upgrading the programming code of the company’s product/solution is the only way to prevent cyberattacks. Additionally, suspicious IP addresses can also be blocked via the firewall. Other non-affected programs can be upgraded to their latest versions, ensuring that the system can withstand any attempts at corrupting it.

Has Adaptive Recognition Been Affected by Log4Shell?

As mentioned before, Adaptive Recognition was also affected by the Log4Shell vulnerability. AutoFill and ANPR Cloud, our cloud-based SaaS solution for projects involving license plate, make, model, color, and category recognition, also used the old version of the Log4j logging package.

We are happy to inform you that our experts have taken the necessary measures to ensure that neither ANPR Cloud nor AutoFill is affected by Log4Shell. However, as previously mentioned, AutoFill users need to upgrade to version 3.6.5—available for Windows and Unix.

AR_NEWLETTER_POPUP

  • This field is for validation purposes and should be left unchanged.