Epicor Security Update - Log4j Zero Day Exploit

Epicor Security Update – Log4j Zero Day Exploit

Technology and business worlds are awash with talk of the latest security vulnerability posing a threat to enterprises

Technology and business worlds are awash with talk of the latest security vulnerability posing a threat to enterprises of every size, Log4j. Learn more about the exploit and how it impacts Epicor users.

What is Log4j?

Log4j is a logging utility library for Java, and it has a zero-day exploit that allows for remote code execution. Meaning, This bug affects applications using Java and allows for malicious actors to execute external code within the application resulting in a potential takeover of the software.

How does it affect Epicor Users?

Epicor Kinetic (formerly Epicor ERP) from version 10.X onward is built using a C#/.Net framework, PHP, and MS SQL database. It does not leverage Log4j among its dependencies. However, earlier iterations of Epicor software, such as Vantage 8, did employ Java appServers and may include Log4J dependencies.

Log4j may impact third-party solutions that leverage Java, such as ECM (DocStar). Those running on-premise deployments of Epicor Kinetic ERP need to upgrade to the latest version to be fully protected. All the more reason to remain current on the latest version of Kinetic and ensure your business minimizes such vulnerabilities.

Software security vulnerabilities are emerging more frequently among globally used technologies. It’s important to bear in mind that private groups tasked with countering security risks for businesses have a more difficult time managing such widespread system vulnerabilities when compared to vendor administered SaaS models. In the case of the latter, vendors can push out patches and updates to a multitude of users concurrently. The control of configuration that on-premise deployment provides, while useful in customizing a system to the business’ specific needs, presents a precarious set of conditions in today’s modern technological landscape. On-premise users will do well to invest in InfoSec moving forward to ensure their systems remain as protected as possible.

If that investment is not one a business is willing to take on, upgrading to the cloud may be in that business’ best interest.

What is Epicor doing to address the Log4j Vulnerability?

Epicor is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library. All Epicor cloud products that use Log4j have been remediated, and there is no additional action required of customers. If you operate Epicor products on-premises, please log in to EpicCare to access knowledge base articles that provide remediation instructions for each affected product. Epicor will continually publish information on Log4j to help customers address any vulnerabilities.

 “Fortunately, we use PHP and not Java, so this zero day exploit will not affect us or our customers. That said, Java is a very popular language and if your company uses Java or Java frameworks (eg. Java Spring), you should check in to make sure the Log4j library is updated, if in use, to protect against malicious hackers that will exploit this.” – Rich Murr, Chief Information Officer, Epicor Software Corporation

If Encompass can assist in any way with protecting your Epicor on premise installation, please don’t hesitate to reach out.

About Encompass Solutions

Encompass Solutions is a business and software consulting firm that specializes in ERP systems, EDI, and Managed Services support for Manufacturers. Serving small and medium-sized businesses since 2001, Encompass modernizes operations and automates processes for hundreds of customers across the globe. Whether undertaking full-scale implementation, integration, and renovation of existing systems, Encompass provides a specialized approach to every client’s needs. By identifying customer requirements and addressing them with the right solutions, we ensure our clients are equipped to match the pace of Industry.

Sean Balogh
Pin It

About Sean Balogh

A marketing professional working hard to deliver relevant and engaging content to audiences in education, technology, and manufacturing.