San Diego, CA: Recently, multiple organizations have warned users about a vulnerability in the Log4J 2.x software. This vulnerability was named CVE-2021-44228. Details about the vulnerability have been published on the NVD website. This vulnerability has been deemed critical since it allows for (Remote) code execution with boot ROOT authorizations as well as user authorizations.
NO -> The Java client UI does not use Log4J.
NO -> The Java web application does not use Log4J.
NO -> Apache Tomcat, the servlet container (webserver) running the web application, does not use Log4J.
NO -> On most Linux distributions Log4J 1.x is installed as a dependency of Apache Tomcat. Note that this is version 1.x, which does not suffer from this security vulnerability.
There is a related CVE-2021-4104 issued by Apache specifically for log4j 1.x, which has yet to be published. This concerns an exploit by modifying a Log4J configuration file to explicitly allow the use of a certain log file appender which makes the system vulnerable in the same way as the CVE for Log4J 2.x. Root access is required to make such configuration changes.
If there are any questions regarding this statement, please contact us at [email protected].