Log4j Vulnerability Update (CVE-2021-44228)
Executive Summary
Log4j is a Java-based logging audit framework within Apache. Apache Log4j2 2.14.1 and below are susceptible to a remote code execution vulnerability where an attacker can take full control of a machine.
Technical Summary
Until a few days ago, most people would not have had any knowledge of the Log4j2 software. However, this little-known module is commonly used by other larger software. This means it is found in many products and locations.
The vulnerability impacts default configurations of a number of Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. The vulnerability is simply triggered by sending a specific JNDI string to the Log4j software. This triggers the install of the malicious software.
Impact on Donoma’s Products
Our team has inventoried and assessed the code on all our products. As a result, they have determined that the Log4j vulnerability will not impact our solutions.
We will continue to monitor ongoing threats. If there is a change, we will notify designated IT contacts at your organization. Donoma clients running cloud-based subscriptions are patched automatically. Those running legacy subscriptions on-premises with active support will be scheduled for patch fix deployment.
Action required
For this vulnerability, no security patching is required on Donoma products.
