Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    SmartClient 12.1 - log4j CVE

    There are 2 CVEs for log4j 1.2, included in SmartClient 12.1
    https://nvd.nist.gov/vuln/detail/CVE-2020-9488
    This vulnerability is a 3.7 (low), and is easy to mitigate by just avoiding using the SMTP appender.

    https://nvd.nist.gov/vuln/detail/CVE-2019-17571
    This vulnerability is a 9.8 critical. Unfortunately log4j 1.2 was end-of-lifed in 2015, and the only mitigation provided is to upgrade to log4j 2.

    I've attempted using the log4j 2 backwards compatibility log4j-1.2-api, however it doesn't appear to be compatible, as I get java.lang.NoClassDefFoundError: org/apache/log4j/spi/RootLogger.

    Please advise if SmartClient is vulnerable to CVE-2019-17571 due to the use of Log4j 1.2. If it has remediated this vulnerability, how? And if not, what the mitigation strategy is going forward?

    #2
    No, we're not vulnerable, and if you plan to use logging in a such a way that you might be vulnerable, you can already use Log4j 2 (or any other logging framework), because we support slf4j.

    Comment

    Working...
    X