Login Enterprise and Log4j / CVE-2021-44228

Overview

Apache Log4j is a widely used Java library used in many commercial and open-source software products as a Java logging framework. The CVE-2021-44228 is a remote code execution (RCE) vulnerability that can be exploited without authentication. The vulnerability's criticality is rated as 10 (out of 10) in the Common Vulnerability Scoring System (CVSS).

Solution

LoginVSI is aware of this vulnerability, has completed an investigation, and determined that we do not use Java or the log4j library in any of our products. Therefore, we remain unaffected by the Log4j / CVE-2021-44228 vulnerability. We thoroughly checked our code and third-party tools.

Official statement from third-party tools used by Login Enterprise was also checked.

• rabbitmq: https://github.com/rabbitmq/rabbitmq-server/discussions/3886?sort=top#discussioncomment-1795896

• Portainer: https://www.reddit.com/r/portainer/comments/rdqqsq/log4j_cve202144228/

• haproxy: https://www.loadbalancer.org/blog/log4j-vulnerability/

• postgres: https://www.postgresql.org/about/news/postgresql-jdbc-and-the-log4j-cve-2371/