The vulnerability recently found in the open source Apache Log4j library leaves all Pinnacle software clients unaffected, including the clients of PitchPerfect and Time Policy Manager (previously known as Enable Revenue Manager or ERM) which were added to the product suite following the acquisition of Enable.

None of our developed products use Apache, Java or Log4j2 code, making our clients safe and continually protected within the boundaries of our applications against any cyber attacks.

Details about the vulnerability from Apache

One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server, then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from that remote server. This in turn could execute any code during deserialization. This is known as a RCE (Remote Code Execution) attack.

The state of mitigating the issue

The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.12.2 and Log4j 2.16.0.

Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.

Next steps for IT Directors

Robert Cohen, Pinnacle’s Head of Product and former IT Director ensured the safety of our clients in the context of Pinnacle applications. He continues to monitor the development of events. In light of the update from Apache, he recommends that law firms contact all of their suppliers who use Apache and check that the update to Log4j has been applied.

Application suppliers are responsible for performing the update and proving a patch where needed. “Please contact your suppliers to provide an update or patch if required. For Cloud providers, request an update.”