AN14 - LOG4J vulnerability CVE-2021-44228


This page contains all information about LOG4J vulnerability CVE-2021-44228.

This page will feature all announcements so we can keep you informed about the log4j exploit, which is currently in the focus of attention.

  • The Remain team will log everything concerning this exploit here.

 

Who is affected?

Publicly available websites that use the vulnerable versions of Log4j [1].

None of our products are affected by this issue

TD/OMS

Not affected.

There is no risk due to the fact that we use the Slf4j/Logback logging framework and not Log4j.

Gravity

Not affected.

There is no risk due to the fact that we use the Slf4j/Logback logging framework and not Log4j.

XREF

Not affected.

There is no risk due to the fact that we use the Slf4j/Logback logging framework and not Log4j.

Remain API Studio RPGLE Generator

We do not use LOG4J, but the IBM Apache server might. Please, consult with IBM if your apache server is open to the public.


MiWorkplace

MiWorkplace is a desktop application and may use the affected library, depending on the installed extensions. The risk is very low. Nevertheless, we are working on an upgrade that does not include the affected libraries.

User-added extensions are not tracked nor warranted by us.
 

TD/OMS REST Server

Although this application uses log4j, it is not the version with the exploit. The TD/OMS REST Server is therefore not affected.


TD/OMS Deployment Servers

The TD/OMS Deployment Servers are not affected.


TD/OMS Source Scanner and Dispatcher Servers

The TD/OMS Source Scanner and Dispatcher Servers are not affected.
 

IBM

IBM has a site to address this CVE [3].


[1] https://log4shell.com/
[2] https://www.eclipse.org/lists/cross-project-issues-dev/msg18773.html
[3] https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/