San Diego, CA: Recently, multiple organizations have warned users about a vulnerability in the Log4J 2.x software. This vulnerability was named CVE-2021-44228. Details about the vulnerability have been published on the NVD website. This vulnerability has been deemed critical since it allows for (Remote) code execution with boot ROOT authorizations as well as user authorizations.
Does this affect the XiltriX application?
NO -> The Java client UI does not use Log4J.
NO -> The Java web application does not use Log4J.
NO -> Apache Tomcat, the servlet container (webserver) running the web application, does not use Log4J.
Does this affect the Linux OS on which XiltriX is installed?
NO -> On most Linux distributions Log4J 1.x is installed as a dependency of Apache Tomcat. Note that this is version 1.x, which does not suffer from this security vulnerability.
Were similar vulnerabilities found in earlier versions of log4j?
There is a related CVE-2021-4104 issued by Apache specifically for log4j 1.x, which has yet to be published. This concerns an exploit by modifying a Log4J configuration file to explicitly allow the use of a certain log file appender which makes the system vulnerable in the same way as the CVE for Log4J 2.x. Root access is required to make such configuration changes.
Questions and Recommendations
If there are any questions regarding this statement, please contact us at [email protected].