Could ACS 5.8 be vulnerable to Log4j vulnerability ?

Lars.J.Nilsson · ‎12-16-2021

Officially ACS 5.8 is EOL but I guess that it's still in use by some organizations.

Or maybe it uses Log4j 1.x ?

Mike.Cifelli · ‎12-16-2021

I would ping TAC on this one.

Some links that may help:

Cisco Secure Access Control System 5.8 - Cisco

Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021

Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild

hslai · ‎12-19-2021

Please review the info shared by Mike.

Cisco Event Response: Apache Log4j Java Logging Library Security Incident has FAQ. Specifically as of today, it mentions,

> Q: Which Cisco products are affected by this vulnerability?
Please see the Products section of the security advisory for the list of products affected by this vulnerability. At this time, almost all affected Cisco products have either been remediated or have a software update scheduled for release.

> Q: Will Cisco provide software updates for products that have reached the End of Support milestone?
At this time, Cisco is focused on providing software updates for currently supported products.