TV-2021-1002

Server-side hotfix for log4J issue

Bulletin ID
TV-2021-1002
Issue Date
13 Ara 2021
Last Update
29 Ara 2021
Priority
Low
Affected Products
TeamViewer IoT
TeamViewer Engage
TeamViewer Frontline
Impacted products Remediation Remediation status User Action

TeamViewer IoT

Server-side hot fix

done

not required

TeamViewer Engage

Server-side hot fix

done

not required

TeamViewer Frontline

Server-side hot fix

done

not required

(2021-12-30) Update on CVE-2021-44832

On the 30th of December a fourth vulnerability in the log4J library (tracked as CVE-2021-44832) has been disclosed. The version, with the provided fix for the previously disclosed CVEs (CVE-2021-44228, CVE-2021-45046), has been found vulnerable to a RCE attack. A new version has been provided by the project maintainers. TeamViewer again has deployed a server-side hotfix for all affected products. User action is not required.

(2021-12-20) Update on CVE-2021-45105:

In the night between the 17th and 18th of December a third vulnerability in the log4J library (tracked as CVE-2021-45105) has been disclosed. The version, with the provided fix for the previously disclosed CVEs (CVE-2021-44228, CVE-2021-45046), has been found vulnerable to a DoS attack. A new version has been provided by the project maintainers. TeamViewer again has deployed a server-side hotfix for all affected products. User action is not required.

(2021-12-15) Update on CVE-2021-45046:

After it was found that the third-party provided fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete, we have deployed an additional server-side hotfix to address the new CVE-2021-45046User action is not required. We will continue to monitor the situation closely.

(2021-12-13) Statement on CVE-2021-44228:

The third-party Java library Log4J2, which is widely used in the software industry, is subject to a critical vulnerability tracked as CVE-2021-44228. For our potentially impacted services including TeamViewer IoT, TeamViewer Engage, and TeamViewer Frontline, we have deployed an immediate server-side hotfix. User action is not required.

Other TeamViewer products are not impacted. Furthermore, we have diligently investigated our IT infrastructure and taken appropriate steps to mitigate any supply chain risks. TeamViewer will continue to monitor the situation closely.