EIQ-2021-0016

ID	EIQ-2021-0016
CVE	CVE-2021-44228
Description	Superseded by EIQ-2021-0016-2. Log4j versions earlier than 2.15 have a remote code execution vulnerability.
Date	10 December 2021 Updated 14 December 2021
Severity	See EIQ-2021-0016-2
CVSSv3 score	10.0
Status	See EIQ-2021-0016-2
Assessment	Warning 11 December 2021: Superseded by EIQ-2021-0016-2. Mitigations described here are no longer relevant. This is a developing situation. For updated advice, see EIQ-2021-0016-2. Log4j versions earlier than 2.15 are vulnerable to CVE-2021-44228 where log formatting can be exploited to retrieve arbitrary data from a malicious LDAP server through JDNI (Java Naming and Directory Interface), and can result in remote code execution. This exploit is mitigated in versions of the Intelligence Center listed below, by bundling versions of the JDK that block the exploit: Intelligence Center release Status Bundled JDK 2.11.0 Safe 1.8.0_312-b07 2.10.3 Safe 1.8.0_312-b07 2.10.2 Safe 1.8.0_302-b08 2.10.1 Safe 1.8.0_302-b08 2.10.0 Safe 1.8.0_292-b10 2.9.3 Safe 1.8.0_282-b08 2.9.2 Safe 1.8.0_282-b08 2.9.1 Safe 1.8.0_282-b08 2.9.0 Safe 1.8.0_275-b01 Your system is still vulnerable if it runs these versions of JDK (Java Development Kit): 6u211 and earlier 7u201 and earlier 8u191 and earlier 11.0.1 and earlier More information: CVE-2021-44228 Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package Apache Log4j Security Vulnerabilities
Mitigation	-
Affected versions	2.11.x – 2.9.x
Notes	N/A