Regresar
-
Título
Impact of CVE-2021-44228 Apache Log4j Vulnerability -
Descripción
A critical vulnerability was recently discovered related to systems/software that run Apache Log4j. More information about this vulnerability can be found here:
National Vulnerability Ddatabase - CVE-2021-44228 (nist.gov) -
Causa
This is an industry-wide vulnerability affecting the Apache Log4j itself and is not specific to IT Security Search -
Resolución
IT Security Search does not use Apache Log4j, therefore is not affected by CVE-2021-44228
Log4j's use within ITSS is extremely limited:
1. Used by Elastic Search for basic logging
2. The logging is only console and file output
3. At absolutely no point do we, or have we ever used a JMSAppender
The instance of log4j currently shipped is out of support and has CVEs logged against it. In the next release (11.5) it will be eliminated entirely. There is currently no ETA for the 11.5 release.