How to mitigate the vulnerabilities related to the Apache Log4j library?
We are following up in reference to the vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832, which have been discovered in Apache Log4j and may allow attacks such as remote code execution or denial of service.
OPSWAT Central Management uses the Apache Log4j library as one of its dependencies. Out of an abundance of caution, we recommend customers to upgrade OCM to the version 7.21 or later to mitigate vulnerabilities.
In a previous version of this article, we recommended setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS with the value true for OPSWAT Central Management version 7.20 or earlier. Please note that this measure has been discredited by the Apache Log4j team because it does not sufficiently cover all attack vectors.