Overview
This document addresses concerns about ePolicy Orchestrator and the latest Apache Log4J vulnerability. This report reflects questions about
CVE-2019-17571.
Description
CVE-2019-17571
Included in
Log4j 1.2 is a
SocketServer class that is vulnerable to deserialization of untrusted data, which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget, when listening to untrusted network traffic for log data. This issue affects Log4j versions up to
1.2 up to
1.2.17.
Research and Conclusions
The ePO engineering team has reviewed this CVE. It has been determined that
ePO 5.10 Update 10 and earlier do use
Log4J version 1.2.17 as the log provider, and hence includes the vulnerable code. But, the way ePO configures and uses Log4J makes it
not exploitable. ePO doesn’t use a network logging appender to listen for network traffic to log the data. Rather, our implementation only writes to a file on the local system.
We’ve upgraded to
Log4J to version
2.14 in
ePO 5.10 Update 11.