Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    log4j- Zero-Day Vulnerability - Are we affected with 12.1 ?

    Hello All,

    We are using Smart client version 12.1 and it is bundling old version of log4j 1.2.17 which is out of support model. As per CVE-2021-44228 , we need to upgrade libraries.. When are we going to get the updated version of the library?

    We see this in our lib folder:
    SmartClient_v121p_2021-01-09_Enterprise/smartclientRuntime/WEB-INF/lib/log4j-1.2.17.jar
    Tags: None
    #2
    This vulnerability applies to log4j 2.x. SmartClient ships with log4j 1.x, which does not have this vulnerability.

    Comment

      #3
      According to https://www.randori.com/blog/cve-2021-44228/ and https://github.com/apache/logging-log4j2/pull/608 1.x versions may still be impacted.

      Also, log4j 1.x is at the end of life and https://www.cvedetails.com/cve/CVE-2019-17571/ will not be fixed.

      If you're planning to upgrade, would SmartClient 11.1 be updated as well?

      Comment

        #4
        As the pages you have linked to explain, Log4j 1.0 may be vulnerable if you are using the JMS appender, which we do not use in the default configuration.

        The other CVEs against log4j 1.0 also do not apply to SmartClient’s usage of log4j.

        You can already use log4j 2.0 with SmartClient 11.1 via the sfl4j support, however, we will not be switching the default logging setup in an existing release.

        Please also note that, had we done so, you would now be vulnerable.

        Comment

          #5
          Thank you. Can you please explain how can we find out "Log4j 1.0 may be vulnerable if you are using the JMS appender," Is it JMS or JNDI ?

          Also , with our 12.1 version, we are stil using log4j1.x version and Not changed this.

          Comment

            #6
            In order to be using the JMS appender, you would have to have configured it yourself, using log4j configuration directly, not via SmartClient.

            If you are worried that someone may have done this but it’s been forgotten, check your log4j config and refer to the log4j documentation.

            Comment

              #7
              Hi,

              You can change log4j jar to log4j-1.2.18.ayg02.jar

              Check link: https://github.com/albfernandez/log4j/releases

              Comment

                #8
                This is not necessary.

                This is a fork of the 1.x log4j project that mitigates two security issues that do not apply to SmartClient usage of log4j.

                Comment

                Previous template Next
                Working...
                X