IMPORTANT: Vulnerability CVE-2021-44228 (AKA Log4Shell)

 

Tuebora Company and Product is UNAFFECTED

 

As you know, information security vulnerabilities can lead to potential unauthorized data disclosure, data destruction, and other issues and losses. It is imperative that Tuebora maintain good information security practices, as these events can impact both parties financially and in terms of operations and reputation. 

 

Tuebora has done the analysis of the following vulnerability that has set the internet “on Fire”

Vulnerability details:

  • Vulnerability description:
    • Apache Log4j2 versions Log4j 2.0-beta9 through 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Versions Log4j 2.15. and after have disabled this behavior by default.
  • Attacks that target this vulnerability:
    • An attacker can perform a complete system takeover on systems by exploiting this flaw. However, all of the following conditions must be met in order to do so: A server with a vulnerable Log4j version (Log4j 2.0-beta9 through 2.14.1); An endpoint with any protocol (HTTP, TCP, etc.) that allows an attacker to send the exploit string; A log statement that logs out the string from that request.
  • Technical impacts of this vulnerability:
    • The unauthenticated remote code execution (RCE) vulnerability (CVE-2021-44228) affects any Apache Log4j version prior to v2.15.0, including the v1 branch of Log4j, which is considered End of Life (EOL).
  • Related vulnerabilities:
    • CVE-2020-9488 (Low); CVE-2017-5645 (Moderate)

 

Links to additional information about this vulnerability:

This is to inform you that Our company and our Product is not Affected by the Apache Log4j2 JNDI Vulnerability. Tuebora product code base doesn’t reference the affected

 class org/apache/logging/log4j/core/lookup/JndiLookup.class.

None of Tuebora components part of the Tuebora IAM offering use the Log4J framework for logging, instead we use logback Java logging framework.

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.