Idera does not use JMSAppender within our products so we are not impacted by this new CVE. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. For specific security bulletin updates regarding Qubole and Xblend / Xray, please review the information provided in the support portals for those products.Īlthough our initial and thorough investigation has concluded, Idera continues to monitor for potential breaches, we will continue actively to monitor this situation and communicate with stakeholders as appropriate.
Therefore, the investigation confidently concludes none are impacted by the Apache Log4j vulnerability.
Idera has completed its review / investigation on all family of products.įor products supported in this portal, our investigation confirmed there are no exposed instances of the Apache Log4j library within the version range that contains this vulnerability. This is an update of Idera's internal review of the Log4J Issue (CVE-2021-44228). NOTE: This incident is no longer considered active, but is being maintained as Monitoring for short-term visibility. Security Bulletin Update - Log4J Issue (CVE-2021-44228) Ext GWT Community Forums (2.x) - Unsupported.
0 kommentar(er)
