Apache Log4j 2 Library Vulnerability Notice (UPDATE)

Apache Log4j 2 Library Vulnerability Notice from Workpoint UPDATE

Date: December 21, 2021

Another critical vulnerability that impacts open-source Java logging libraries, Apache Log4j 2, was discovered. The vulnerability, also referred to as “Log4Shell,” permits unauthenticated remote code execution (RCE), where an attacker can execute any code on a remote machine over LAN, WAN, or internet. The code is triggered when a string is provided by the attacker through a variety of different input vectors and is then processed by the Log4j 2 vulnerable element.

The Common Vulnerabilities and Exposures (CVE) system has identified the vulnerability as CVE-2021-44228 and modified the Vulnerability to CVE-2021-45105. The latest Description of the this new CVE: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Workpoint recommends, immediate steps regarding this vulnerability:
1) Review the exact version of Workpoint deployed, be sure to obtain any patch version numbers.
2) Compare the version to the following for next steps.

Workpoint JAVA versions

Workpoint 4.10

    4.1.20140904 to 4.1.20140904.P021 (no update required)
    4.1.20140904.22 and above (update required, reach out to Workpoint Support)

Workpoint 4.40

    4.40.0 and above (no update required)

Workpoint 4.50

    4.50.0 and above (update required, reach out to Workpoint Support)

Workpoint .NET

    All Workpoint.NET versions do not have the update at this time, currently log4j version 1 is included in the .NET release. The Apache Log4j 2 Library Vulnerability does NOT effect any Workpoint .NET customers.

To request more details submitting a request via our support form click here.