Several vulnerabilities have recently been disclosed in Java log4j version 2. These issues are identified as CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832.
SecureLogix Knowledge Base Article #APP6701 discusses these vulnerabilities, affected versions of the PolicyGuru Solution, and mitigation for affected versions. The ETM System is not affected by those vulnerabilities, because it does not use log4jv2, nor do PolicyGuru versions prior to v2.5.
This document provides supplemental information to Article #APP6701 regarding a vulnerability disclosed for log4jv1 (CVE-2021-4104), and explains why that vulnerability does not affect SecureLogix products.
There are two versions of log4j: log4j version 1 (log4jv1) and log4j version 2 (log4jv2). Only log4jv2 is affected by CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, or CVE-2021-44832. Another vulnerability was also disclosed that applies to log4jv1, identified as CVE-2021-4104. However, this issue only affects Log4jv1 when specifically configured to use JMSAppender, which is not the default. No versions of the ETM System nor the PolicyGuru Solution that use log4jv1 include JMSAppender as part of their implementation, and they are evaluated as not vulnerable to CVE-2021-4104.
Last Update: 1/21/2022