CVE-2021-44228 - An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technolo...-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
According to "NVD - CVE-2021-44228 (nist.gov)," this defect affects log4j versions 2.0.1 up to (but excluding) 2.15. ProcessIT 7.3 and 7.4 systems, due to their age, had been deployed with version Log4j 1.2.x and therefore not affected.
In order to confirm the log4j version used by weblogic for any version of ProcessIT:
- open the weblogic.log from the processit server and search "log4j".
- The reference to the log4j jar file exists near the beginning of the log within the classpath.
All versions of internal processit systems are configured to use log4j-1.2.16.
Level of Complexity
Add any references to other internal or external articles