CVE-2021-44228

[mattronix]

Hello Team,

we see log4j in the code base, not super savy with Java but could you confirm if the software is at risk of https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java (CVE-2021-44228)?

[mayyit]

Same question here. The log4j version with 2.0.0 is log4j-1.2.17.jar, which itself is no longer supported according to
https://logging.apache.org/log4j/1.2/ which then also refers to an older CVE https://www.cvedetails.com/cve/CVE-2019-17571/ that seems to have similar issues.

I'm taking down the app until we get some certainty around this issue.

[muppeth]

@mattronix according to https://groups.google.com/g/pwm-general/c/mjf4fEzz0b0 pwm is not affected cause it uses even older log4j lib :\

[jrivard]

PWM (all versions) uses log4j v1, which is not affected by this CVE. Though the deprecated v1 is used, as far as I'm aware the configuration and libraries used are not affected by older v1 CVEs.

Unfortunately, updating to v2 is not trivial. It was attempted and ultimately abandoned because v2's feature bloat and complexity made it not a good fit for PWM and would have required substantial rewrite of code and change of features. There is an ongoing effort to replace log4j with slf4j/logback.

[bmj8409]

Appreciate your work on this tool. It has been very useful to our organization. Unfortunately, we will have to decommission its use until the Log4j is updated to at least 2.16+ or replaced with slf4j/logback. Our security dept. is not allowing the older 1.2.x

[jrivard]

v2.0.2 release replaces log4j with reload4j. This doesn't fix any security issues (there aren't any with our usage of log4j), but it may make your scanners happier. (commit 3a3c137)