CVE-2021-44228 Advisory

CVE-2021-44228 and CVE-2021-45046 Advisories

SoftTree Technologies is aware of the security issue relating to the open-source Apache Log4j2 utility (CVE-2021-44228 and CVE-2021-45046).

An exploit for a critical zero-day vulnerability affecting Apache Log4j2 software known as Log4Shell was disclosed on December 9, 2021. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. Versions of Apache Log4j2 versions from 2.0.beta to 2.14.1 are affected by this vulnerability. This vulnerability is actively being exploited in the wild. The Apache Software Foundation has released a security advisory to address this vulnerability (CVE-2021-44228). For more information visit https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

The following SoftTree Technologies products use Apache Log4j utility versions 1.2.14 to 1.2.17 installed as part of the solution.

The installed versions are *NOT IMPACTED* by CVE-2021-44228 and by CVE-2021-45046, and do not need to be patched for these vulnerabilities.

SoftTree Technologies still strongly encourages users and administrators to read the Apache Log4j 2.15.0 and 2.16.0 Announcements, review what's running on their systems, and if required, upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately. Visit https://logging.apache.org/log4j/2.x/security.html and follow the Download link on the Apache web site.

Update, December 16, 2021: A new issue has been reported after Log4j2 version 2.15.0 release. In non default configurations version 2.15.0 might be vulnerable to Denial of Service attacks. We strongly recommend updating to 2.16.0 at the time of the release of this article.

If you still have concerns, please consider upgrading your 24x7 Scheduler and related products to version 7.x.

If you need additional details or assistance, please contact SoftTree Technologies support.