FAQ | Are Q-SYS products affected by the Log4j vulnerability (CVE-2021-44228)?
Learn whether Q-SYS products are affected by the Log4j vulnerability, and what steps need to be taken to mitigate the risk.
Answer
Log4j is a popular Java library developed and maintained by the Apache foundation. The library is widely adopted and used in many commercial and open-source software products as a logging framework for Java. A newly discovered zero-day vulnerability in the widely used Apache Log4j Java logging library can be exploited allowing attackers to enable remote code execution on affected servers.
In response to this vulnerability, QSC engineering and development teams have completed a review of all Q-SYS software, services and products, and determined that Q-SYS solutions are not vulnerable to the Log4j exploit. This includes:
- All Q-SYS Core processors and peripheral devices
- All Q-SYS software applications
- Q-SYS Reflect
- QSC-ID authentication platform
QSC takes the security of our customers' systems very seriously. As a result, the engineering and development team will continue to proactively monitor the situation and provide updates as needed.
Security patches and features are regularly released through free Q-SYS firmware updates. To ensure that your systems remain protected with the latest security features and patches, QSC recommends that you install the latest firmware version available.