Skip to main content
Skip table of contents

Mitigation for CVE-2021-44228 - critical vulnerability in log4j

What is CVE-2021-44228 ("Log4Shell")?

In December 2021, a critical security vulnerability CVE-2021-4428 in the open-source Java logging library log4j was identified and published. This vulnerability could allow for arbitrary code execution and has been reported to be actively exploited by several software providers and the BSI. For detailed, up-to-date information, please see the BSI log4j press statement as well as the BSI publication on detection and reaction.

Is LUY affected by log4Shell?

Our investigations on our latest LUY versions 7.2.0, 7.2.1, 7.2.2 and 7.3.0 have found that those LUY versions make use of the log4j versions which are affected by the CVE-2021-44228 vulnerability. 

Update on CVE-2021-45046 (15.12.2021):

As stated by apache.org, in some cases the mitigation to enable formatMsgNoLookups is not sufficient (known as CVE-2021-45046). This is the case for some logging configuration that use a non-default pattern layout. According to our investigations, LUY does not make use of those logging patterns per default, therefore no additional mitigation measures are necessary apart from those described below.

Update on CVE-2021-45105 (20.12.2021):

As stated by apache.org, other cases were found where the mitigation to enable formatMsgNoLookups is not sufficient (known as CVE-2021-45105). This is the case for some logging configuration that use a non-default pattern layout. According to our investigations, LUY does not make use of those logging patterns per default, therefore no additional mitigation measures are necessary apart from those described below. 

Update on CVE-2021-44832 (29.12.2021):

As stated by apache.org, other cases were found where the mitigation to enable formatMsgNoLookups is not sufficient (known as CVE-2021-44832). This is the case for some logging configuration that use a JDBC appender. According to our investigations, LUY does not make use of those JDBC appenders per default, therefore no additional mitigation measures are necessary apart from those described below. 

Mitigation measures

For SaaS customers, no mitigation is necessary as we already upgraded their instances to the latest hotfix version (see release notes).

In case of any questions, please contact our LUY service desk

Change log

Please note that the information situation is highly dynamic. We will continue to update this article as new relevant information becomes available.

Date

Change to the Troubleshooting article

Troubleshooting article initially published.

Added description of Tomcat on Windows mitigation and new information on CVE-2021-45046.

Information update on CVE-2021-45105 and BSI detection and reaction article.

Information update about released hotfix versions which include the latest version of log4j 2.17.0. 

Information update on CVE-2021-44832

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close