Apache Log4j vulnerability update I 15/12

eMagiz update on the vulnerabilities in Apache Log4j library.

On Sunday December 12th, 2021 a security vulnerability in the Apache Log4J library was exposed. We understand that this raises concerns for our clients, and we have been working hard to understand the impact on our platform and clients.

On Monday December 13th, 2021 we have concluded that the security breach can not be exploited in our eMagiz runtime. We are using open source frameworks in our platform, and among these we are using the pax-logging framework and this framework does include the Apache Log4J library. The pax-logging framework is only used inside the eMagiz runtime (all versions) which is a Java based application container.

The conclusion is based on the fact that JNDI is not enabled in our runtime which is the key requirement to exploit this breach. We have used an online tool on this URL (https://canarytokens.org/generate) for validation purposes. It was clearly shown that a JNDI URL was generated in the log file but could not be activated. We also validated whether JNDI could be enabled in the eMagiz runtime, and concluded that it is not possible to do so.

The published vulnerability of Tuesday December 14th, 2021 which is fixed in version 2.16.0 of the Log4J framework is currently assessed by eMagiz as low risk with minimal impact (score of CVE not known yet). The global community is assessing this vulnerability at this moment, and we decided to include this version if the Log4J framework as well to ensure all latest versions are included.

eMagiz will release a new runtime version that will include the latest patch of the Log4J library (2.16.0). Main reason is to ensure all concerns are addressed and the risk of future discovery of new breaches in older releases is mitigated. This runtime will be made available soonest but no later than Friday December 17th, 2021. Please note that your current runtime versions have no risk to exploit these vulnerabilities.

We sincerely hope this addresses your concerns and are open to receive any question that you may have on this subject. Please contact us at productmanagement@emagiz.com.

Published on December 15th, 2021 at 12:07pm