Skip to main content
Solved

Log4j 1.x

  • 20 December 2021
  • 1 reply
  • 1647 views

Forum|alt.badge.img

Can you please help us with getting some clarification on the CVE-2021-44228. Looks like CVE-2021-44228 also impacts the Log4j 1.x

 

Since we still have /opt/commvault/Base64/DbJars/log4j-1.2.16.jar, we are being told by our Cyber team that according to CVE-2021-44228 on the  https://logging.apache.org/log4j/2.x/security.html 

Below is the snippet from logging.apache.org link above

Log4j 1.x mitigation

Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

 

Does commvault use JNDI with Log4j 1.x ?

Best answer by Aplynx

Please refer to the information in this post:

 

 

View original
Did this answer your question?

1 reply

Aplynx
Vaulter
Forum|alt.badge.img+13
  • Vaulter
  • 291 replies
  • Answer
  • December 20, 2021

Please refer to the information in this post:

 

 


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings