Apache log4j vulnerability, CVE-2021-44228

Apache log4j has a critical zero day vulnerability (CVSS score of 10), CVE-2021-44228.

https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

The vulnerability appears to impact log4j 2.x thru 2.15.0-rc1. Upon a cursory check, Ciphermail appears to use log4j 1.2.15, which while end of life and potentially vulnerable to other threats, shouldn't be vulnerable to this specific flaw. As a result, the mitigating controls may not be applicable or necessary.

Thoughts, or discussion?

Hi Ricky,

CipherMail Gateway and Webmail Messenger are *not* vulnerable to
CVE-2021-44228 because an older version of log4j (1.2) is used which
does not contain the (vulnerable) lookup functionality.

When we became aware, a few hours after the details were posted, that
log4j was exploitable, we analyzed the exploit and concluded that
CipherMail was not vulnerable.

CipherMail uses version 1.2.15 of the log4j library. This version is
still widely deployed. It is true that version 1.x of log4j is no
longer supported, however we always analyze any impact of a published
exploit to see whether a CipherMail product is impacted or not. We are
not aware of any vulnerabilities in the default configuration of 1.x as
used by CipherMail.

We will further analyze whether we upgrade to a newer version of log4j
or use a different logging library instead.

Kind regards,

Martijn Brinkers

ยทยทยท

On Mon, 2021-12-13 at 02:42 +0000, ricky.boone--- via Users wrote:

Apache log4j has a critical zero day vulnerability (CVSS score of
10), CVE-2021-44228.

https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

The vulnerability appears to impact log4j 2.x thru 2.15.0-rc1. Upon
a cursory check, Ciphermail appears to use log4j 1.2.15, which while
end of life and potentially vulnerable to other threats, shouldn't be
vulnerable to this specific flaw. As a result, the mitigating
controls may not be applicable or necessary.

Thoughts, or discussion?

--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger