X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   General questions (X-Cart 5) (https://forum.x-cart.com/forumdisplay.php?f=66)
-   -   Apache Log4j Vulnerability (https://forum.x-cart.com/showthread.php?t=78342)

LTucker 12-27-2021 11:01 AM

Apache Log4j Vulnerability
 
I'm attempting to find out if X-Cart has been affected by the Log4j vulnerability in any way. I have reached out to the X-Cart support team about this issue and did not receive a response.

I have run the scanner manually on the core X-Cart application. As expected the core X-Cart application was not affected by this vulnerability. I can not run the scanner on the APIs that X-Cart or X-Payments use, and do not maintain control over these items.

Did anyone reach out and receive a statement from the X-Cart team about the Log4j vulnerability and how X-Cart was impacted?

Reference
CISA Apache Log4j Vulnerability Guidance

Triple A Racing 12-27-2021 07:29 PM

Re: Apache Log4j Vulnerability
 
Good luck waiting for a useful, tested response from the X-Cart support team...

Not 100% sure about fully verifying API's, but you could use the two tools linked from here, if you wish to dig deeper:

https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html

Ed B. 12-28-2021 07:16 AM

Re: Apache Log4j Vulnerability
 
Unless you run log4j on your server, your server shouldn't be affected by this issue, should it? And log4j being a java application, I don't see how X-cart which is based on php/javascript can be affected.

LTucker 12-28-2021 10:42 AM

Re: Apache Log4j Vulnerability
 
Okay thank you, that's unfortunate to hear. I appreciate the added resources. I used the CISA scanner from the original post to scan the web server and X-Cart app.

Yes, X-Cart is a PHP based platform which wouldn't directly be affected by this vulnerability. Though many backend services use Java which makes this vulnerability so dangerous. For example cPanel was affected.

I'm mostly wondering how X-Payments was impacted, and if they have reached out to the API services that are used in the XC/ Qualiteam modules. As there are a lot of RESTful services that were built with Java.


All times are GMT -8. The time now is 08:31 PM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.