A newly revealed vulnerability impacting Apache Log4j 2 versions 2.0 to 2.14.1 was disclosed on GitHub on 9 December 2021 and registered as CVE-2021-44228 with the highest severity rating.
Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By utilizing this vulnerability, a remote attacker could take control of the affected system.
Chrometa is aware of this vulnerability, has completed verification, and can conclude that the only product where we use Java is Chrometa Windows tracker, which does not utilize the log4j library, thereby is not impacted by this vulnerability.
For customers, who use the log4j library with other Java applications, here are some proactive measures, which they can take to reduce the risk posed by CVE-2021-44228:
- Upgrade to Apache log4j-2.1.50.rc2, as all prior 2.x versions are vulnerable.
- For Log4j version 2.10.0 or later, block JNDI from making requests to untrusted servers by setting the configuration value log4j2.formatMsgNoLookups to “TRUE” to prevent LDAP and other queries.
- Default both com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to “FALSE” to prevent Remote Code Execution attacks in Java 8u121.
Similar Stories
Enterprise
Automatic timesheets in Clio
Getting your billable time in Clio has never been easier! Turn on the automatic export and let Chrometa do the boring work for you.You can also get your other team member’s time in Clio without any manual step. Just another way Chrometa saves you time! Learn more here. . Read More
Enterprise
New & Improved in Chrometa: Asana Integration, Redesigned Invoices and New Targets Features
Always improving! These are Chrometa's latest product updates for December 2019.. Read More
Enterprise
New & Improved in Chrometa: Retainer invoices,Time and Budget targets and Enhanced Team Timesheet and Time Summary pages
Always improving! These are Chrometa's latest product updates for September 2019.. Read More