KB0029 – Apache Log4J vulnerability
A vulnerability has been identified in the Apache Log4J logging framework – CVE-2021-44228
Promenta are receiving question from customers about the potential risk to Promenta solutions.
Summary of issue
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.
Promenta does not use the affected log4j versions in any solutions that are currently supported.
UPDATE : June 2022 – since SP34-7 (java build 940) apache log4j library is removed completely.