Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Apache Log4j Vulnerability

 
Reply
   X-Cart forums > X-Cart 5 > General questions (X-Cart 5)
 
Thread Tools Search this Thread
  #1  
Old 12-27-2021, 11:01 AM
 
LTucker LTucker is offline
 

Member
  
Join Date: Mar 2020
Posts: 14
 

Default Apache Log4j Vulnerability

I'm attempting to find out if X-Cart has been affected by the Log4j vulnerability in any way. I have reached out to the X-Cart support team about this issue and did not receive a response.

I have run the scanner manually on the core X-Cart application. As expected the core X-Cart application was not affected by this vulnerability. I can not run the scanner on the APIs that X-Cart or X-Payments use, and do not maintain control over these items.

Did anyone reach out and receive a statement from the X-Cart team about the Log4j vulnerability and how X-Cart was impacted?

Reference
CISA Apache Log4j Vulnerability Guidance
__________________
Larry Tucker
Programmer Analyst, WPG Americas Inc.

X-Cart v5.4.0.1 [Linux]
Reply With Quote
  #2  
Old 12-27-2021, 07:29 PM
 
Triple A Racing Triple A Racing is offline
 

X-Wizard
  
Join Date: Jul 2008
Location: Manchester UK
Posts: 1,028
 

Default Re: Apache Log4j Vulnerability

Good luck waiting for a useful, tested response from the X-Cart support team...

Not 100% sure about fully verifying API's, but you could use the two tools linked from here, if you wish to dig deeper:

https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html
__________________
Dev Store & Live Store XC Business 5.4.1.35
Server; Ubuntu 22.04.2 LTS (HWE 6.2.0.26.26 Kernel)) / Plesk Obsidian
Nginx 1.20.4 / Apache 2.4.52 (Ubuntu Backported) / MariaDB 10.11.4 / PHP 7.4.33
Reply With Quote
  #3  
Old 12-28-2021, 07:16 AM
 
Ed B. Ed B. is offline
 

X-Adept
  
Join Date: Apr 2016
Posts: 446
 

Default Re: Apache Log4j Vulnerability

Unless you run log4j on your server, your server shouldn't be affected by this issue, should it? And log4j being a java application, I don't see how X-cart which is based on php/javascript can be affected.
__________________
X-cart 5.2.12, php 5.6
Ed from Grenoble, France
Reply With Quote
  #4  
Old 12-28-2021, 10:42 AM
 
LTucker LTucker is offline
 

Member
  
Join Date: Mar 2020
Posts: 14
 

Default Re: Apache Log4j Vulnerability

Okay thank you, that's unfortunate to hear. I appreciate the added resources. I used the CISA scanner from the original post to scan the web server and X-Cart app.

Yes, X-Cart is a PHP based platform which wouldn't directly be affected by this vulnerability. Though many backend services use Java which makes this vulnerability so dangerous. For example cPanel was affected.

I'm mostly wondering how X-Payments was impacted, and if they have reached out to the API services that are used in the XC/ Qualiteam modules. As there are a lot of RESTful services that were built with Java.
__________________
Larry Tucker
Programmer Analyst, WPG Americas Inc.

X-Cart v5.4.0.1 [Linux]
Reply With Quote
Reply
   X-Cart forums > X-Cart 5 > General questions (X-Cart 5)


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 02:25 AM.

   

 
X-Cart forums © 2001-2020