Apache Log4j 2 Library Vulnerability Notice from Workpoint
Date: December 16, 2021 (Updated December 21, 2021)
Recently, a new critical vulnerability that impacts one of the most popular open-source Java logging libraries, Apache Log4j 2, was discovered. The vulnerability, also referred to as “Log4Shell,” permits unauthenticated remote code execution (RCE), where an attacker can execute any code on a remote machine over LAN, WAN, or internet. The code is triggered when a string is provided by the attacker through a variety of different input vectors and is then processed by the Log4j 2 vulnerable element.
The Common Vulnerabilities and Exposures (CVE) system has identified the vulnerability as CVE-2021-44228 and modified the Vulnerability to CVE-2021-45046. The original CVE was assigned it a CVSS Score of 10.0 – Critical. Access the most current CVE located in the NIST National Vulnerability Database (NVD)
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) released an advisory on the vulnerability and has added the Apache Log4j 2 Remote Code Execution Vulnerability to their Known Exploited Vulnerabilities Catalog.
Systems and services that use the Java logging library, Apache Log4j 2 between versions 2.0 and 2.16, are all affected. With its widespread adoption, many third-party apps are likely vulnerable, revealing a vast attack surface.
The Apache Foundation has released Log4j 2 Version 2.17.0 to address the vulnerability. Users and administrators are prompted to apply the recommended mitigations immediately.
Workpoint Software Implications
Log4j is used as a component of 3rd party products Workpoint deploys, or uses to build applications, to output log statements that help Workpoint and our customers to troubleshoot problems.
Workpoint recommends, immediate steps regarding this vulnerability:
1) Review the exact version of Workpoint deployed, be sure to obtain any patch version numbers.
2) Compare the version to the following for next steps.
Workpoint JAVA versions
4.1.20140904 to 4.1.20140904.P021 (no update required)
4.1.20140904.22 and above (update required, reach out to Workpoint Support)
4.40.0 and above (no update required)
4.50.0 and above (update required, reach out to Workpoint Support)
- All Workpoint.NET versions do not have the update at this time, currently log4j version 1 is included in the .NET release. The Apache Log4j 2 Library Vulnerability does NOT effect any Workpoint .NET customers.
To request more details submitting a request via our support form click here.