Published: 17:00 CET 13/12/2021
Latest update: 09:30 CET 03/01/2022
Log4j is a popular logging component used within most of Java software packages. This current security exposure poses a credible risk to many organizations, as certain exploit code may offer the opportunity for unwanted Remote Code Execution (RCE).
This security bug is widely referred to as “Log4shell”. It was identified on December 9th and categorized as a severe zero-day vulnerability (a documented security bug without a patch) in Log4j. The issue is caused by a weakness in the Log4j library, which allows an unsolicited action on the system. Apache has given the denotation CVE-2021-44228 to this security bug, referring to an “unauthenticated Remote Code Execution” (RCE).
Your IT team must determine if you have any direct or indirect dependencies to Log4j versions between 2.0-beta9 and 2.16.0.
If you are using an exploited version of Log4j (2.0-beta9 to 2.16.0) and using a JAVA version earlier than version 11:
We have analyzed all TECHNIA Software offerings and, according to presently available information, we do not believe our products are vulnerable to Log4shell exploitation. We will, however, continue to actively monitor and analyze the situation as new information becomes available.
Should you have any specific inquiries about this topic, please contact us at [email protected] | Updates will be posted to this page as additional information becomes available.
Dassault Systèmes has recently released a statement regarding the Apache Log4j Security Exposure: