JAVA Log4J details

[admin]

Hello all,

Due to the large amount of requests for information, we are posting our reply regarding the Apache Log4J vulnerability here, as opposed to individual support ticket replies.

A critical vulnerability in the Apache Log4j framework was recently discovered and reported as CVE-2021-44228 [1].

Intella 2.5 and Intella Connect 2.5 do not use or depend on Apache Log4j. They are thus not affected by this vulnerability.

The logging frameworks that are used in our products (SLF4J [2], Logback [3]) have publicly stated that they are not vulnerable to this type of attack.

Intella and Intella Connect versions 2.1.1 to 2.4.2, and W4 1.1.2, bundle an older Log4j version (1.2.17) that predates this vulnerability. They are therefore also not affected by this vulnerability. Furthermore, this jar file came as a unnecessary dependency of other dependencies and was never used by our software. It is safe to replace the log4j-1.2.17.jar file with the log4j-over-slf4j-1.7.32.jar file that is bundled in Intella/Connect 2.5 [4]. This reroutes any call to the Log4j API to the SLF4J and Logback frameworks.

Finally, we ran the sample exploit code against our products and no vulnerability was detected.

We are therefore convinced that our products are not vulnerable to this exploit. We welcome any further information you may have if you believe the contrary.

Update - December 16, 2021

While Connect is not vulnerable to the Log4j vulnerability, we have released patches for Intella & Intella Connect versions 2.4.2 and 2.5 that ensure that the latest versions of the SLF4J and Logback logging libraries are used. It is highly recommended that you update now.

 

Footnotes
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
[2] http://www.slf4j.org/log4shell.html
[3] http://logback.qos.ch/
[4] https://repo1.maven.org/maven2/org/slf4j/log4j-over-slf4j/1.7.32/log4j-over-slf4j-1.7.32.jar