| |
EN
Residential Energy Storage Products
  • Three Phase Series
  • Single Phase Series
EV Charger
C&I Energy Storage Products
Security Notice - Service Log4i2 Component Vnlnerability
Internal ID
Publish Date
Last Update
Security Notice - Service Log4i2 Component Vnlnerability
2023-03-28
2023-03-29
Detailed Description

HANCHUESS has always prioritised the experience of our users and we had to temporarily suspend the digital platform microservices involved for a day and there was an issue with users not being able to access them, we apologise for the inconvenience this caused to our users.
Since then, our team took immediate action to resolve the issue, which has now been fixed. After investigation, we found that the issue was due to a versioning vulnerability in the Log4j2 logging component provided by Apache. A remote code execution vulnerability exists when Apache Log4j version 2.x <= 2.14.1. A JNDI injection flaw exists in the Log4j2 component when processing program log records, the receiver is not filtered for input from unreliable sources, and an unauthorised An attacker could use this vulnerability to send carefully crafted malicious data to the target server, triggering a flaw in the Log4j2 component's parsing, enabling arbitrary code execution on the target server, gaining access to the target server, and eventually triggering remote code execution. If we upgrade to the latest version, this issue will not occur.
Regarding component upgrades, FruitNext has been fixed and internally tested to ensure that such issues do not occur again. As of 29 March 2022, all digital platform related services have been restored. Once again, we apologise for the impact this issue has had on our users.

Revison

2022-03-28,INITIAL
2022-03-29,Update Software Version

Disclaimer

HANCHUESS welcomes security experts and research teams to join our Vulnerability Disclosure Program (VDP). HANCHUESS is commited to taking the responsibility to the security of our users around the world can enjoy a secure and reliable intelligent life.
For the security vulnerabilities disclosed in this page, HANCHUESS does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose or non-infringement. You understand the vulnerabilities disclosure information is just to provide reference for you to assess security risk and make appropriate decision. Your use of the document, by whatsoever means, will be totally at your own risk. In no event shall HANCHUESS or be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.