Skip to main content

ProcessIT and CVE-2021-44228

Article # 3037061 - Page views: 71


CVE-2021-44228 - An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. 



From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".



According to "NVD - CVE-2021-44228 (," this defect affects log4j versions 2.0.1 up to (but excluding) 2.15.  ProcessIT 7.3 and 7.4 systems, due to their age, had been deployed with version Log4j 1.2.x and therefore not affected.

In order to confirm the log4j version used by weblogic for any version of ProcessIT:

  1.  open the weblogic.log from the processit server and search "log4j". 
  2.  The reference to the log4j jar file exists near the beginning of the log within the classpath.

All versions of internal processit systems are configured to use log4j-1.2.16.


Level of Complexity 



Applies to  
Product Version Build Environment Hardware
ProcessIT 7.3.X      
ProcessIT 7.4.X      



Add any references to other internal or external articles




Article # 3037061
  • Was this article helpful?