Security Vulnerabilities

Security Note: Log4j Vulnerability and Q-SYS Products

CVE-2021-44228

Initial Update: 12/13/2021

Log4j is a popular Java library developed and maintained by the Apache foundation. The library is widely adopted and used in many commercial and open-source software products as a logging framework for Java. A newly discovered zero-day vulnerability in the widely used Apache Log4j Java logging library can be exploited allowing attackers to enable remote code execution on affected servers.

In response to this vulnerability, QSC engineering and development teams have completed a review of all Q-SYS software, services and products, and determined that Q-SYS solutions are not vulnerable to the Log4j exploit, this includes:

  • All Q-SYS Cores and Peripheral devices
  • All Q-SYS software applications
  • Q-SYS Reflect Enterprise Manager
  • QSC-ID authentication platform

QSC takes the security of our customers systems very seriously and as a result the engineering and development team will continue to proactively monitor the situation and provide updates to this page as needed.

Security patches and features are regularly released through free Q-SYS firmware updates and at the time of writing, Q-SYS v9 is the latest, supported main branch of Q-SYS software. In order to ensure that your systems remain protected with the latest security features and patches, QSC recommends that you install the latest firmware version available. For access to the latest Q-SYS firmware updates, please visit https://www.qsc.com/qds.

Security Note: Spectre CPU vulnerability

Last Update: 1/10/2018

Spectre is a vulnerability recently identified in common CPU architectures affecting manufacturers such as Intel, AMD and ARM. QSC leverages Intel and ARM processors across the Q-SYS platform and as a result Q-SYS is susceptible to this issue. However, QSC believes this is a low risk for the following reasons;

  • This exploit requires executing arbitrary code on the system
  • To execute arbitrary code, full system access is required, this is disabled by default on Q-SYS Cores
  • Q-SYS Cores are single-use systems that do not easily provide a way for attackers to execute code locally

Nonetheless, QSC takes the security of our customers systems very seriously and as a result the engineering team is monitoring the situation and testing patches from CPU vendors as they become available.

Check back here for more information on when a patch will be made available to Q-SYS customers.

Security Note: Meltdown CPU vulnerability

Last Update: 1/10/2018

Meltdown is vulnerability recently identified in modern CPU architectures that primarily affects Intel CPU products but may affect other CPU vendors. QSC leverages Intel and other processors across the Q-SYS platform and as a result Q-SYS is susceptible to this issue. However, QSC believes this is a low risk for the following reasons;

  • This exploit requires executing arbitrary code on the system
  • To execute arbitrary code, full system access is required, this is disabled by default on Q-SYS Cores
  • Q-SYS Cores are single-use systems do that not easily provide a way for attackers to execute code locally

Nonetheless, QSC takes the security of our customers systems very seriously and as a result the engineering team is monitoring the situation and testing patches from CPU vendors as they become available.

Check back here for more information on when these patches will be made available to Q-SYS customers.