Early December 2021, vulnerabilities were reported in the Apache Log4j libraries from 2.0 to 2.15, which could compromise the systems running it, allowing an attacker to execute arbitrary code.
Fresche Solutions is conducting a product-by-product review to identify any potential risks or impacts by the reported remote code execution vulnerability in the Apache Log4j utility.
Below is a list of the products we’ve evaluated and their status related to the Apache Log4j utility vulnerabilities:
A special Fresche knowledge base article has also been set up within the customer portal that contains additional details, product download information and reference material.
Fresche’s recommendations to its clients:
We highly recommend companies running Apache Log4j take the following actions:
The Apache Log4j utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version from 2.0 to 2.15 could be compromised and allow an attacker to execute arbitrary code.
On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228 [ https://nvd.nist.gov/vuln/detail/CVE-2021-44228 ]. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.
If you have workloads you believe may be vulnerable, you can read further details on the NIST website https://nvd.nist.gov/vuln/detail/CVE-2021-44228