Apache Log4j 2 security vulnerability (CVE-2021-44228) alert update
by Mike Wager, on 1/4/22
If you are looking for information about Log4J impact on Keysight products, please visit our Product and Solution Cyber Security page. If you are interested in how Keysight can validate your perimeter security protection from Log4J, read on.
UPDATE January 10th, 2022: There is now a fix available to our System Helper, which can be downloaded here.
On December 10th, Eggplant became aware of a vulnerability affecting the Apache Log4j Java-based logging tool. This vulnerability could potentially enable unauthenticated users to execute code on any affected systems. At Eggplant, we immediately began steps to mitigate and monitor the situation.
There are only two products where the Log4j vulnerability is under further investigation:
- Eggplant Manager: Only the System Helper is affected; however, this is feature is not enabled by default. We recommend disabling this feature if in use while our developers work to resolve it. More information about System Helper can be found on our documentation portal.
- Eggplant Functional IBM Rational Quality Manager (RQM) Adapter: Our developers are currently working with IBM to provide a patched version to work in conjunction with the IBM Jazz Server.
Eggplant’s products do not make extensive use of Java. However, in services and components where we identified use of the Log4j library, the vulnerability either did not appear exploitable, or we are running a current version that is not impacted.
The following products are NOT affected by this exploit:
- Eggplant Digital Automation Intelligence (DAI)
- Eggplant Functional (Studio & Fusion Engine)
- Eggplant Monitoring Insights
- Eggplant Performance
We will continue to monitor the situation and provide updates on any affected Eggplant products with any mitigation actions.
If you require immediate assistance, please contact our support team.
More about Log4j
What is Log4j?
Log4j is an open source Java library used for logging error messages and other important events in applications. Log4j is commonly used in any piece of software that uses logs, including enterprise software applications, custom applications, and any device that is exposed to cloud computing services.
According to Apache Logging Services, “Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be exploited."
Where is Log4j used?
According to the UK’s National Cyber Security Centre (NCSC), the Log4j library is used in enterprise Java software and Apache frameworks, including Apache Flink, Apache Solr, Apache Swift, Apache Druid, and Apache Struts2. Other large projects that make use of Log4j library include Netty, MyBatis, and the Spring framework.
Which applications are affected by the Log4j flaw?
The security vulnerability may affect a huge amount of software and service due to Log4j being so widely used. The NCSC says, “An application is most vulnerable if it consumes untrusted user input and passes this to a vulnerable version of the Log4j logging library.”