Questions about log4j vulnerability (CVE-2021-44228)


We've received several queries related to the newly discovered remote code execution vulnerability with log4j 2.x (CVE-2021-44228), and wanted to allay any concerns related to this in regards to Rustici Engine.

Engine does not use log4j for logging, nor does it include a log4j library in any release 2015.1 or above. We use slf4j with logback as our underlying logging implementation. As outlined here, logback does not have this same vulnerability.

In versions of Engine before 2015.1, there was a log4j 1.2.15 included in the release. It was only actually used in releases before 2013.2. We had made the switch in 2013.2 to using slf4j and logback, but this jar was still included, potentially for some external dependencies.

Since this vulnerability only affects version 2.x of log4j, these older versions of Engine are safe because they included a version 1.x of the library.

So, no Engine customers should be vulnerable to this from the Engine application itself. Please verify that your own application that may be integrated with Engine does not use log4j for its own logging to be 100% safe.


Update for those on pre-2013.2 Engine

Some additional information about potential vulnerabilities in log4j 1.2 has come out, as mentioned in this Red Hat CVE-2021-4104. Unlike the log4j2 vulnerability, this one is only an issue if you have the JMSAppender configured to be used, and the attacker can modify your log4j configuration file. This article gives a more detailed description of what's necessary.

Engine's default logging configuration does not use this appender, so customers on these older versions would only be potentially vulnerable if they had modified it to be in use. This is unlikely, but should be verified by customers on 2013.1 or below of Engine.

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request
Powered by Zendesk