Log4j Vulnerability [CVE-2021-44228, CVE-2022-22965, CVE-2022-22963] Follow

Date: 2022/1/12

Most Edgecore products do not use Apache and Java libraries for system login. After investigation, no known scenarios of Apache Log4J vulnerabilities have been identified with any of Edgecore products including:

• Open networking cloud data center solutions (switches)
• Open networking service provider solutions (routers)
• Enterprise switches with EdgeCOS
• Websmart switches (ECS2020) and Industry switches (ECIS4510) 
• Open operating system: Edgecore SONiC

Edgecore’s legacy NMS product “NetworkEC View Pro” uses Apache 1.2.15, which is not one of listed vulnerable versions such as Apache Log4j2 2.0-beta 9 through 2.12.1 and 2.13.0 through 2.15.0. This legacy product is already declared End-Of-Life.

Date: 2022/4/12

• add CVE-2022-22965, CVE-2022-22963 to subject.