TV-2021-1002

Server-side hotfix for log4J issue

Summary:

CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832

Impacted products Remediation Remediation status User Action
TeamViewer IoT Server-side hot fix done not required
TeamViewer Engage Server-side hot fix done not required
TeamViewer Frontline Server-side hot fix done not required

 

(2021-12-30) Update on CVE-2021-44832

On the 30th of December a fourth vulnerability in the log4J library (tracked as CVE-2021-44832) has been disclosed. The version, with the provided fix for the previously disclosed CVEs (CVE-2021-44228, CVE-2021-45046), has been found vulnerable to a RCE attack. A new version has been provided by the project maintainers. TeamViewer again has deployed a server-side hotfix for all affected products. User action is not required.

 

(2021-12-20) Update on CVE-2021-45105:

In the night between the 17th and 18th of December a third vulnerability in the log4J library (tracked as CVE-2021-45105) has been disclosed. The version, with the provided fix for the previously disclosed CVEs (CVE-2021-44228, CVE-2021-45046), has been found vulnerable to a DoS attack. A new version has been provided by the project maintainers. TeamViewer again has deployed a server-side hotfix for all affected products. User action is not required.

 

(2021-12-15) Update on CVE-2021-45046:

After it was found that the third-party provided fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete, we have deployed an additional server-side hotfix to address the new CVE-2021-45046. User action is not required. We will continue to monitor the situation closely.

 

(2021-12-13) Statement on CVE-2021-44228:

The third-party Java library Log4J2, which is widely used in the software industry, is subject to a critical vulnerability tracked as CVE-2021-44228. For our potentially impacted services including TeamViewer IoT, TeamViewer Engage, and TeamViewer Frontline, we have deployed an immediate server-side hotfix. User action is not required.

Other TeamViewer products are not impacted. Furthermore, we have diligently investigated our IT infrastructure and taken appropriate steps to mitigate any supply chain risks. TeamViewer will continue to monitor the situation closely.

Bulletin ID
TV-2021-1002
Issue Date
2021-12-13
Last Update
2021-12-29
Priority
Low
CVSS Score
Assigned CVE
Affected Products
  • TeamViewer IoT
  • TeamViewer Engage
  • TeamViewer Frontline

Do you want to report a security issue?

TeamViewer’s security team will investigate every submission in our Vulnerability Disclosure Program.

Want more? Exclusive deals, the latest news: Our Newsletter!