1. It is better to sign-up/log-in before you post your question (or reply to an existing thread), instead of posting as a guest.
    This will allow you to easily look up the Q&A sequence anytime, anywhere, with just one mouse click. Learn more...

    You can log in with your Facebook, Twitter, or Google+ accounts, or create a KVMGalore HelpCenter user-name/password.
    Dismiss Notice

IP Java concerns regarding log4j exploit

Discussion in 'KVM' started by Chops, Jan 18, 2022.

  1. Chops

    Chops New member

    I am curious if the vendors have address some of the concerns regarding this vulnerability. I noticed that a lot of switches use Java and although not the only option, I need to know if this can be blocked. I am currently looking at the CN8000A and I see there is access by browser, winclient, and Java. I searched through the manual and couldn't find a disable Java setting (it requires Java to be installed on the PC) and I don't want users to have the ability to install Java if prompted. This is just one of many KVMs I'm looking for.

    This should be a concern for all end users and I feel there should be a break down of
     
  2. KVMGalore Expert

    KVMGalore Expert Staff Member

    Hello Chops,

    Thank you for reaching out on our HelpCenter.

    Regarding ATEN KVM over IP Gateways:
    Being able to block Java isn't possible. If the computer tries to install Java runtime environment, that's a computer setting, it wouldn't be through ATEN hardware. All ATEN has on their hardware is a standalone executable which would be a small download.
    You can block user level accounts from using the Java Client through user permissions, but it can't be disabled for administrator level accounts.
    To be sure, though, the only ATEN product affected by Log4j is the UPS ViewPower software: https://eservice.aten.com/eServiceCx/Common/FAQ/view.do?id=18171
    CN and KN lines are unaffected as the vulnerable Apache routine isn't used in the KVM or the client software.

    We're still researching Adder and NTI products for you - stay tuned.

    Hope this helps!
    We welcome your questions - please come back and ask us anything, anytime. You may also give us a call at 1-800-636-3434 for further clarifications on this thread.

    Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.
     
  3. KVMGalore Expert

    KVMGalore Expert Staff Member

    NTI product line is not affected by the zero-day vulnerability CVE-2021-44228 or CVE-2021-45046. NTI does not use the Apache Log4j module for any of its products. This statement is true for all NTI brands – ENVIROMUX, SPLITMUX, XTENDEX, VEEMUX, RACKMUX, UNIMUX, PRIMUX, KEEMUX, INTERMUX, VOPEX, SERIMUX, VIDMUX, and CRYSTALMON.
     
  4. KVMGalore Expert

    KVMGalore Expert Staff Member

    Regarding Adder products: It is not possible to disable the Java option on these devices. iPEPS devices use NPAPI which hasn’t been supported by browsers for a few years now so users cannot connect to the device using Java, only using RVNC.
    Users can however disable the HTTP port to disallow browser based connections.
     

Share This Page