1. Summary
Last Thursday, 09-12-2021, CVE-2021-44228 was disclosed concerning Apache Log4j. Our analysis of the Blueriq platform from version 11.0 and higher has concluded that the Blueriq platform as delivered by the products department is not affected by this vulnerability. The same holds for the Blueriq Publisher 4 and 5 and the Blueriq Model Analyzer 3.
The Blueriq platform uses Logback as logging framework instead of Log4j and only has dependencies on the log4j-api and log4j-to-slf4j. Both of these libraries are not affected, but use the same version scheme as the Log4j-core library which is affected.
This doesn’t mean that customer projects couldn’t be affected. The Log4j-core library may be added as part of custom code or can be used in separated (custom) services. For that reason we strongly recommend all projects to check their own implementation.
2. Vulnerability description
This security alert addresses CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. This vulnerability is remotely exploitable without authentication and may give an attacker full control over the server or may be exploited over a network.
Due to the severity of this vulnerability and how easy it is to exploit, it received a Common Vulnerability Scoring System (CVSS) score of 10.0 and is labelled critical by different parties.
Affected are all Log4j versions from version 2.0 up to, including 2.14.1. For more information and mitigation measures please check:
https://logging.apache.org/log4j/2.x/security.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228