Important Security Notices; Avid Media Indexer MongoDB Security Notice and log4j or Log4Shell information.
Avid MediaCentral | Production Index (commonly referred to as Media Indexer).
While performing a routine security evaluation, Avid teams discovered a potential vulnerability in the configuration of MongoDB used in MediaCentral | Production Index (commonly referred to as Media Indexer).
This potential vulnerability is caused by the network access configuration for MongoDB in Media Indexer. Media Indexer uses MongoDB as a database to store links to media assets used in MediaCentral | Production Management workflows.
This document describes how to manually apply the minimal needed configuration to limit the network access to local only for MongoDB in Media Indexer.
Also, a vulnerability has been found in a logging library used by Apache web server called log4j or Log4Shell.
Many applications are affected. The course of action recommended is one of the following:
- If an application is using the Log4j 2 library as a dependency within an application, the developer should ensure they update to version 2.15.0 or later
- If developers are using an affected third-party application, they must ensure they keep the product updated to the latest version
- The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.
WE RECOMMEND YOU SEARCH THE MANUFACTURER WEB SITES SPECIFIC TO ANY SERVER SOLUTION THAT YOU WANT TO CHECK MIGHT BE EFFECTED.
Please find below a selection of references to see for more information.
UK National Cyber Security Centre:
VMware vCenter is affected: https://kb.vmware.com/s/article/87068
No products affected: https://support.signiant.com/hc/en-us
Nothing reported yet. Will be posted here: https://www.qnap.com/en-uk/security-advisories?ref=security_advisory_details
Please call Altered Images on 01932 255 666 for more info