December 12, 2021
A high severity vulnerability (CVE-2021-44228, CVSSv3 10.0) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly on December 9, 2021. The vulnerability allows for unauthenticated remote code execution (RCE). This vulnerability exists in Apache Log4j 2 versions 2.0 to 2.14.1. According to the developer, version 1.x of Log4j is not susceptible to this vulnerability.
Log4j 2 is an open-source Java logging library developed by the Apache Foundation. Log4j 2 is widely used in many applications as a dependency. These include numerous cloud services as well as enterprise applications such as Dualshield.
Generally speaking, DualShield is not susceptible to this vulnerability.
1. DualShield 5.x, DualShield 6.1, 6.2, 6.3 includes Log4j 1.x which is not susceptible to this vulnerability
2. DualShield 6.4 includes Log4j 2.14. However, DualShield 6.4 includes JRE 8u203 which is not susceptible to Remote Code Execution (RCE).
According to this article, and this blog post, if the server has Java runtimes later than 8u121, then it is protected against remote code execution via JNDI.
Actions recommended to DualShield customers
If you are running DualShield 6.4, then you should add "-Dlog4j2.formatMsgNoLookups=true" into the JAVA settings and restart the DualShield service after the change.
Click here for instructions on how to change JAVA settings in the DualShield platform.
Actions been taken by the DualShield team
To ensure that DualShield is absolutely free from this vulnerability, we will produce an update of DualShield with the latest update of Log4J shortly.
(Note: We did produce an update, DualShield 6.4.20.1212, on December 12. Unfortunately, it was discovered today that it has a compatibility issue with the DualShield IIS Agent. Therefore, it was taken offline. We will produce a new update asap).