Jonny Tennyson
|
Head of Customer Success
December 15, 2021

IriusRisk Unaffected by Log4j

IriusRisk Unaffected by Log4j

To All IriusRisk Clients and Users

IriusRisk versions 2.x through to 4.x are NOT affected by CVE-2021-4428

In light of the critical vulnerability discovered on Friday the 10th of December within the JavaⓇ library Log4j2, we would like to communicate the actions we have taken to ensure the safety of the users of our application. Following the news of this new critical vulnerability, the team at IriusRisk immediately prioritized an investigation into whether our application and/or our users were at any risk.

On Friday and over the weekend that followed, the team investigated and tested our application to ensure that it was not possible for this exploit to affect our users or our application.

After deep investigation, we have concluded that IriusRisk is not affected by CVE-2021-44228, the recent Remote Code Execution vulnerability reported in Log4j.

The primary reason IriusRisk is unaffected is due to the fact the vulnerability affects Log4j2 from version 2.0-beta9 to 2.14.1.

IriusRisk does not use Log4j at all for logging. We use slf4j (version 1.7.26) which relies on logback version 1.1.11 that is not affected by this vulnerability. The involved class in the vulnerability JndiLookup is not present anywhere on our deployed classpath, on any version of IriusRisk.

Based on the additional information provided on the slf4j log4shell information page [1], some questions might arise:

  • Is JMSAppender enabled? IriusRisk does not use the JMSAppender class from log4j as it uses logback instead.
  • Are logback configuration files protected? As logback can also be exploited if an attacker has access to the logback.xml file this question is relevant. The answer is yes, logback configuration files are protected and only accessible if you have full access to the server running IriusRisk and to the docker containers on it.

For further information and commentary around slf4j, please refer to the following References:

Java is a registered trademark of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.