Log4J Vulnerability (CVE-2021-44832)

Document revision

• Created: January 3, 2022
• Updated: January 3, 2022, offered Log4j 2.17.1 libraries

What is the vulnerability?

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Is CostPerform impacted?

Very unlikely. CostPerform does not use JDBC Appenders in its configuration, and the attacker must have control over the target LDAP server.

How do I mitigate this?

You can follow the instructions for upgrading Log4j.

More information

If you require more information please contact our Support line on +31 (0) 85 023 2114 or send an email to support@costperform.com.

Relevant Links

CVE-2021-44832 information

https://nvd.nist.gov/vuln/detail/CVE-2021-44832

Background information

https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html

Apache Log4J home

https://logging.apache.org/log4j/2.x