In terms of the Zero Day Java exploit that has surfaced in the last couple days. We have heard from our Development team that this DOES NOT apply to our software.
Dashboards uses log4j version 1.2.17. Therefore, it is not affected by this exploit found in later versions:
- Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package
- CVE-2021-44228 – Log4j 2 Vulnerability Analysis
- NVD CVE-2021-44228 Detail
The last link does not make clear which versions are affected, however, the first two state clearly they are versions 2.0 to 2.14.1.
We also do not use JMSAppender. Plus, that looks a bit of a stretch. For an attacker to have write access to the log4j configuration, that would likely mean they would need filesystem access on the server hosting the application. So it couldn’t be exploited by sending an http request, like the other one could.
At this time we do not know when development plans to move forward with upgrading to Log4j2, however, it does appear we will likely move to v2.15.0 to utilize Java 17+.
Apache Log4j 2
Click on Image for Full Details