December 15th, 2021
Informational update on security vulnerability ‘Log4j2’ CVE-2021-44228
Issued: December 14th, 2021.
In light of the recently discovered Apache Log4j2 “CVE-2021-44228” vulnerability, Cashbook has made every effort to investigate the potential risk to our clients via our Cashbook Application.
The Cashbook application does use Log4j. However, it is not the version mentioned. The 0-day vulnerability affects only Log4j v2.x. Cashbook uses an earlier version that does not support the features that are used as a means of attack.
We would also like to highlight that any such attack to exploit a vulnerability like this is dependent on gaining direct access to the Cashbook application.
Apache Log4j2 “CVE-2021-44228” vulnerability:
- The above vulnerability affects only versions 2 -> 2.14.1 of Log4j. Cashbook applications do not use any version of Log4j in this range.
- The vector of attack for this vulnerability is via injection of a JNDI lookup into message or message properties:
- This JNDI lookup is not supported in any version Cashbook used.
- Cashbook log messages are predefined within the application are not directly accessible for manipulation.
- Log messaging properties are stored with the application and are not accessible unless the server/pc has already been compromised.
- The vulnerability can only be exploited if attacker has direct access to the application.
In summary, the risk to Cashbook customers at this point in time is negligible. As this situation progresses, we will keep you abreast of any new updates that may affect users regarding the Apache Log4j2 “CVE-2021-44228” vulnerability.
