Sales & Finance, Service & Support

Important Security Notices; Avid Media Indexer MongoDB Security Notice and log4j or Log4Shell information for all server solutions.

Important Security Notices
14 Dec

Important Security Notices; Avid Media Indexer MongoDB Security Notice and log4j or Log4Shell information.

 

Avid MediaCentral | Production Index (commonly referred to as Media Indexer).  

While performing a routine security evaluation, Avid teams discovered a potential vulnerability in the configuration of MongoDB used in MediaCentral | Production Index (commonly referred to as Media Indexer).

This potential vulnerability is caused by the network access configuration for MongoDB in Media Indexer. Media Indexer uses MongoDB as a database to store links to media assets used in MediaCentral | Production Management workflows.

This document describes how to manually apply the minimal needed configuration to limit the network access to local only for MongoDB in Media Indexer.

 
Avid strongly recommends that you take the following steps on all Media Indexer servers and clients
 
 
Please review the following document for more information, and follow Avid Best Practices for isolating your Avid systems from the internet.
Avid_Technology_Log4j_Assessment.pdf
 
Avid Security Guidelines and Best Practices for Dealing with Virus Threats can be found here
 
 

Also, a vulnerability has been found in a logging library used by Apache web server called log4j or Log4Shell.

Many applications are affected. The course of action recommended is one of the following:

  1. If an application is using the Log4j 2 library as a dependency within an application, the developer should ensure they update to version 2.15.0 or later
  2. If developers are using an affected third-party application, they must ensure they keep the product updated to the latest version
  3. The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.
WE RECOMMEND YOU SEARCH THE MANUFACTURER WEB SITES SPECIFIC TO ANY SERVER SOLUTION THAT YOU WANT TO CHECK  MIGHT BE EFFECTED.

Please find below a selection of references to see for more information.

Avid:
https://community.avid.com/forums/p/204647/915814.aspx#915814
https://avid.secure.force.com/pkb/articles/en_US/Troubleshooting/en239659

UK National Cyber Security Centre:
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

Microsoft
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

Red Hat
https://access.redhat.com/security/cve/cve-2021-44228

VMware
VMware vCenter is affected: https://kb.vmware.com/s/article/87068

Fortinet
https://www.fortiguard.com/psirt/FG-IR-21-245?utm_source=blog&utm_campaign=blog

Dell
https://www.dell.com/support/kbdoc/en-uk/000194372/dsn-2021-007-dell-response-to-apache-log4j-remote-code-execution-vulnerability

SimpleHelp
https://community.simple-help.com/t/log4j-vulnerability-cve-2021-44228-and-simplehelp/888

Signiant
No products affected: https://support.signiant.com/hc/en-us

Adobe
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/apache-log4j-remote-code-execution-vulnerability-cve-2021-44228/td-p/434261

QNAP
Nothing reported yet. Will be posted here: https://www.qnap.com/en-uk/security-advisories?ref=security_advisory_details

Autodesk

The Autodesk Security Team is investigating the Log4Shell vulnerability (CVE-2021-044228). We have not identified any compromised systems in the Autodesk environment due to this vulnerability at this time. This is an ongoing investigation and we will provide updates on the Autodesk Trust Center as we learn more.
 
EditShare
 
 

Please call Altered Images on 01932 255 666 for more info 

 
 
Tags:
, , , , , , , , , ,
Newer What’s New In Media Composer 2021.12
Back to list
Older New Capabilities in Avid MediaCentral Bring Graphic Designers into Broadcast TV and Production Workflows