Log4J Vulnerability (CVE-2021-44832)
Log4j CVE Overview
Document revision
- Created: January 3, 2022
- Updated: January 3, 2022, offered Log4j 2.17.1 libraries
What is the vulnerability?
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Is CostPerform impacted?
Very unlikely. CostPerform does not use JDBC Appenders in its configuration, and the attacker must have control over the target LDAP server.
How do I mitigate this?
You can follow the instructions for upgrading Log4j.
More information
If you require more information please contact our Support line on +31 (0)347 355 027 or send an email to support@costperform.com.
Relevant Links
- CVE-2021-44832 information
- https://nvd.nist.gov/vuln/detail/CVE-2021-44832
- Background information
- https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html
- Apache Log4J home
- https://logging.apache.org/log4j/2.x