Question

Log4j 1.x

  • 20 December 2021
  • 1 reply
  • 969 views

Badge

Can you please help us with getting some clarification on the CVE-2021-44228. Looks like CVE-2021-44228 also impacts the Log4j 1.x

 

Since we still have /opt/commvault/Base64/DbJars/log4j-1.2.16.jar, we are being told by our Cyber team that according to CVE-2021-44228 on the  https://logging.apache.org/log4j/2.x/security.html 

Below is the snippet from logging.apache.org link above

Log4j 1.x mitigation

Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

 

Does commvault use JNDI with Log4j 1.x ?


1 reply

Userlevel 5
Badge +10

Please refer to the information in this post:

 

 

Reply