ePolicy Orchestrator Sustaining Statement (SSC2112291) - Response to Log4j vulnerability CVE-2021-44832

Technical Articles ID: KB95123
Last Modified: 2021-12-29 20:34:38 Etc/GMT

Environment

ePolicy Orchestrator (ePO) 5.10

Summary

This statement addresses concerns about ePO and the Log4j vulnerability documented in CVE-2021-44832.

MITRE CVE-2021-44832

CVE-2021-44832
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI.

Research and Conclusions
No version of ePO implements the JDBC Appender. So, ePO isn’t vulnerable to CVE-2021-44832. But, we'll increment our Log4j library to version 2.17.1 or later in a future update.

Affected Products

ePolicy Orchestrator 5.10.x

Languages:

This article is available in the following languages:

Knowledge Center

ePolicy Orchestrator Sustaining Statement (SSC2112291) - Response to Log4j vulnerability CVE-2021-44832

Environment

Summary

Affected Products

Languages:

Title

Title

Knowledge Center

ePolicy Orchestrator Sustaining Statement (SSC2112291) - Response to Log4j vulnerability CVE-2021-44832

Environment

Summary

Affected Products

Languages:

Choose your region

Title

Title