Apache log4j vulnerability does not require action from Medanets’ customers
Home News Apache log4j vulnerability does not require action from Medanets’ customers

Apache log4j vulnerability does not require action from Medanets’ customers

14.12.2021

On December 9th, an acute remote code execution vulnerability was reported in Apache log4j versions 2.0 beta9 – 2.15.0-rc1 (CVE-2021-44228). Apache log4j is the one of the most popular Java logging libraries. 

The log4j library is also found in some Medanets server installations as it is delivered with several Java applications. We have checked our installations and we have come to the following conclusions: 

  • The log4j library found in Medanets server installations is an older version of the library (1.2.x) which is not vulnerable to CVE-2021-44228. 
  • Installations include log4j-api library (version 2.x) which is also not vulnerable to CVE-2021-44228. To make sure, these environments have been checked and mitigating configuration has been added (LOG4J_FORMAT_MSG_NO_LOOKUPS=true). 
  • To further mitigate the risks, we are currently removing even the not vulnerable older versions of the log4j from the Medanets installations where possible.  

In conclusion, we can say that the vulnerability does not affect Medanets services and does not require an immediate action. 
 
References: 

https://logging.apache.org/log4j/2.x/security.html Visited: 14.12.2021 

https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/ Visited: 14.12.2021 

https://www.truesec.com/hub/blog/apache-log4j-injection-vulnerability-cve-2021-44228-impact-and-response Visited: 14.12.2021 

 

Subscribe to our newsletter to get the latest information on us, our solutions and other healthcare and health technology topics in one package.