返回
-
标题
Impact of CVE-2021-44228 Apache Log4j Vulnerability -
说明
A critical vulnerability was recently discovered related to systems/software that run Apache Log4j. More information about this vulnerability can be found here:
National Vulnerability Ddatabase - CVE-2021-44228 (nist.gov) -
原因
This is an industry-wide vulnerability affecting the Apache Log4j itself and is not specific to IT Security Search -
解决办法
IT Security Search does not use Apache Log4j, therefore is not affected by CVE-2021-44228
Log4j's use within ITSS is extremely limited:
1. Used by Elastic Search for basic logging
2. The logging is only console and file output
3. At absolutely no point do we, or have we ever used a JMSAppender
The instance of log4j currently shipped is out of support and has CVEs logged against it. This was eliminated in the 11.5 release onwards.