Log4j2 Vulnerability CVE-2021-44228 at MITRE

Options
marc
marc Member, Administrator, Moderator, Employee Posts: 919 admin
edited December 2021 in General Discussions #1

Hey Everyone - I know this is a hot topic so I wanted to share the related Solace Issue Notification in the community.

Solace Reference: SOL-61111

Summary: Solace is aware of the Apache Log4j2 JNDI vulnerability. From CVE-2021-44228 at MITRE: “Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

The following products are NOT exposed to this vulnerability:

  • PubSub+ Brokers (hardware, software and cloud) are not exposed.
  • PubSub+ Messaging APIs for Java, including the Java(JCSMP), JMS, Java, and JavaRTO APIs are not exposed. However, samples for some of these APIs are distributed with example Log4j configuration. Applications using these APIs may have elected to use Log4j2 for logging.
  • All other messaging APIs, including PubSub+ Messaging API for C, .Net, JavaScript, OpenMAMA, and Python are not exposed.

Details: Solace has evaluated our full product portfolio and identified the affected versions of Log4j2 in the following products. Solace will provide new versions of these products containing an updated Log4j2 to address this vulnerability. Timelines for these updates can be found below.

  • Impacted Product: PubSub+ Cloud (all versions)
  • Scope: Several internal accessible micro-services were running the impacted versions of Log4j2.
  • Resolution: All impacted services have been patched as of Dec 12, 2021.
  • Impacted Product: PubSub+ for Tanzu (all versions)
  • Workaround: No workaround is available at this time.
  • Resolution: Solace will update PubSub+ for Tanzu to address this vulnerability. The target release date for this fix is January 7, 2022.
  • Impacted Product: PubSub+ SolAdmin (all versions)
  • Scope: Solace does not believe that this vulnerability can be remotely exploited in SolAdmin.
  • Workaround: No workaround is available at this time.
  • Resolution: Solace will update PubSub+ SolAdmin to address this vulnerability. The target release date for this fix is the week of December 20, 2021.
  • Impacted Product: PubSub+ Spring Boot (all versions)
  • Workaround: No workaround is available at this time.
  • Resolution: Solace will update the connector to address this vulnerability. The target release date for this fix is the week of December 20, 2021.
  • Impacted Product: PubSub+ Spring Cloud (all versions)
  • Workaround: No workaround is available at this time.
  • Resolution: Solace will update the connector to address this vulnerability. The target release date for this fix is the week of December 20, 2021.
  • Impacted Product: PubSub+ Service Credentials Loader (all versions)
  • Workaround: No workaround is available at this time.
  • Resolution: Solace will update the connector to address this vulnerability. The target release date for this fix is the week of December 20, 2021.

If you have questions about this notification, please contact Solace at support@solace.com.

Comments

  • wolf3las
    wolf3las Member Posts: 1
    Options

    Hi, The Messaging API for Java (jcsmp) 10.12.1 has reference to commons-logging-1.2 which in turn uses log4j 1.2.17, will there be fix for this?

  • murat
    murat Member, Employee Posts: 22 Solace Employee
    Options

    @wolf3las said:
    Hi, The Messaging API for Java (jcsmp) 10.12.1 has reference to commons-logging-1.2 which in turn uses log4j 1.2.17, will there be fix for this?

    Hi there, the CVE-2021-44228 vulnerability does not affect this version of log4j (v1.2.17) therefore no fix is required. The reference in the API pom file to log4j is only in test scope which is used in-house in tests and is not part of the API.