A Log4J Vulnerability Has Set the Internet ‘On Fire’ | WIRED
This bug affects ALOT of application and allows for a total takeover.
VMWare is also affected by this and your host should get updated.
I’m curious about this as well. Being that Epicor is a .NET application, is it unlikely Log4j was used? Or is it possible other miscellaneous Java based services are running? We’re cloud, so I don’t have any familiarity with what a typical Epicor install looks like.
Has there been any official response from Epicor on this? I’ve been checking our other vendors and am finding some information; if only a “we are aware and are investigating”.
This is the listed dependencies in the Help About screen below (10.1.600) and I don’t see Log4J in there. Epicor was using Serilog on 10.2 at one point but not sure if that is still true.
Older versions of Vantage 8 had Java appServers and probably include Log4J.
I did notice that SQL Server 2019 has it a part of the old DTS service if you’ve installed that module.
Mark W.
Portions of this Software utilize
IC Sharp zip library, Code Parser, Sarissa, WebKitDetect, Pahvant, Nii JSon, Newtonsoft JSon, (JSON.org), JQuerydoTimeout jQuery plugin for getting position of cursor in textarea, used under GNU GPLv2 and GPLv3 as applicable ( http://www.gnu.org/copyleft/gpl.html and http://www.gnu.org/licenses/gpl-2.0.html)
JS class “getElementsByclassname” developed by Rober Nyman (http://code.google.com/p/getelementsbyclassname, JQuery , JQuery iFramer, JQuery Impropmtu, JQuery Mobile Icon Pack, jQuery Reveal Plugin 1.0, jQuery UI, Color picker Plugin for JQuery library by Stefan Petre, Angular JS, Bootstrap, DataTables, MasonryJS, AvalonEdit, NodeJS - licensed under Open Source Initiative OSI - The MIT License (MIT, http://www.opensource.org/licenses/mit-license.php )
NRefactory (https://github.com/icsharpcode/NRefactory/blob/master/doc/license.txt)
Mono Cecil under Creative Commons license http://creativecommons.org/licenses/by-sa/3.0/us/
Cordova cordova.apache.org, NVD3 Charts, SeliniumHQ (SeleniumIDE and Selenium WebDriver), Microsoft Minifier, Traceur -compiler, log4net, - licensed under http://www.apache.org/licenses/LICENSE-2.0
D3 Charts, d3js.org, swashbuckle, Nuget - Under the BSD 3-Clause License. The 3-Clause BSD License – Open Source Initiative
Newtonsoft.Json.Schema licensed under GNU GPLv2 and GPLv3 as applicable ( The GNU General Public License v3.0 - GNU Project - Free Software Foundation and GNU General Public License v2.0 - GNU Project - Free Software Foundation)
Font Awesome, SIL Open Font License (OFL), GPL / SIL OFL 1.1 (SIL Open Font License (OFL))
Some portions of the Software utilize
SQL Lite Library (www.sqlite.org http://www.sqlite.org) and Crypto Library (www.cryptopp.com http://www.cryptopp.com) available under the public domain
DocStar integration - tar-cs - BSD 4-clause (University of California-Specific) - Open Hub, BSD 4 clause license, Ionic.Zip - DocStar ionic-framework/LICENSE at main · ionic-team/ionic-framework · GitHub, licensed under MIT license, PDFSharp - MIT license, http://www.pdfsharp.net/PDFsharp_License.ashx
DMT - winforms-modernui and LumenWorks both licensed under The MIT License (MIT License - Wikipedia)
Portions of the Software utilize products used under Software License Agreement
Infragistics, © Infragistics Software; PlexityHide, © PlexityHide; Business Objects © SAP.
4 Likes
Epicor/Kinetic is not currently currently listed in the accepted list of vulnerable software.
1 Like
Epicor I believe uses log4net which is by the same folks but this particular vulnerability isn’t cross port.
3 Likes
Any word on the 3rd-party apps?
- Commerce Connect
- Epicor Data Analysis (EDA)
- Biscit (Epicor Mobile Warehouse)
- ServiceConnect
- QuickShip/Manifest
- Financial Planner/XL Connect
- KBMax
- DocStar
- IDC
3 Likes
I’d hope by now Epicor would of checked their applications and patched or at least notified customers.
1 Like
Think about the worst case scenario. What if there was a component with a severe vulnerability like this in Epicor? Would your company be able to patch quickly? What if Epicor couldn’t patch on-prem/older versions for weeks or months? Would one have to find a way to isolate the ERP system for protection?
2 Likes
The more experience I get with being on the infosec side of things, the more I lean towards SaaS where possible. Small groups, like myself, simply cannot be on top of everything. I love dearly the control of configuration that on-prem gives but unless one has the resources to manage stuff like this as quickly as possible it often puts a company at risk.
5 Likes
At least EDA, KBMax, and maybe a few more are SAAS solutions from Epicor so hopefully if they are/were venerable they’re patched or at least mitigated against.
@Mark_Wonsil true, but keeping quiet to customers won’t really help shield them. Reports are out there that hacker groups are already scanning the net to find vulnerable servers. Personally, I’d rather be informed of it from the vendor before a hacker wrecks havoc.
1 Like
5 Likes
Doesn’t DocStar use Apache? Or am I thinking of EKM?
Oh, I agree. Remember, it may be a 3rd party program running outside the Epicor sphere that’s vulnerable! It doesn’t matter what package they use to get to your domain controller… 
1 Like
Yeah, if it’s not directly under Epicor’s control then I can’t really blame Epicor if they’re not aware of the vulnerability. I’d hope they’ve reached out to their vendors and asked about this though and would act in haste to get it patched asap or alert customers.
@josecgomez totally accurate.
1 Like
Epicor is aware of the Log4J vulnerability that was disclosed last week, and is taking actions to remediate where required.
Many of our platforms are not built on the Java subsystems and hence do not use log4j such as Kinetic, P21, ECC, ECM, Service Connect, CPQ etc.
Where there are components such as Elastic Search used within say ECC we have re-configured SaaS to correct and continue to monitor the situation.
If users have specific questions please raise a call with support for clarification.
6 Likes
I agree that SaaS and other levels of cloud adoption (IaaS and PaaS) help alleviate some responsibility from the business, but I don’t think anyone will ever care as much as we do about our organization’s safety. It is still important to ask questions and vet cloud solution providers for their security practices and principles. Understand what makes the cloud solution more secure by asking what they have in place to keep it secure and what additional tools they may offer you to keep tabs on it (thinking of application gateway and additional security tools in O365).
2 Likes
Does “Kinetic” in this section also include the Epicor ERP product?
Many of our platforms are not built on the Java subsystems and hence do not use log4j such as Kinetic, P21, ECC, ECM, Service Connect, CPQ etc.
Kinetic IS the Epicor ERP Product (that is what is called now)
Thank you for correcting me/clarifying Jose.
1 Like
Yes Epicor ERP from 10.X up is a full C#/.Net Stack with MS SQL.
Note that prior versions (Vista / Vantage 6, 8, 9) [This does not apply to SaaS] leverage OpenEdge from Progress software. They have outlined the following as of this time which would mean these versions are also not affected. But this is evolving situation. Anyone on premise on an old unsupported version should review
3 Likes