How to mitigate the vulnerabilities related to the Apache Log4j library?
This article applies to all OPSWAT Central Management V7.5.0+ releases deployed on Windows or Linux systems.
With reference to the CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832 vulnerabilities discovered within the Apache Log4j utility, these vulnerabilities have been mitigated in all releases following and including OPSWAT Central Management V7.21.0.
While this popular, Java-based logging utility is listed as an OPSWAT Central Management dependency, users can rest assured that any potential threats arising as a result of such vulnerabilities, including remote code execution and/or denial of service, are sufficiently mitigated simply by upgrading to the latest version of OPSWAT Central Management (i.e. all versions including and above V7.21.0).
In a previous version of this article, viewable Here, OPSWAT recommended setting the environment variable as LOG4J_FORMAT_MSG_NO_LOOKUPS with the value set as true for OPSWAT Central Management V7.20.0 or earlier.
Please note that this measure has been tested and discredited by the Apache Log4j team, as it does not sufficiently cover all attack vectors.
Instead, OPSWAT now strongly recommends that administrators update to the latest version of OPSWAT Central Management in order to benefit from state-of-the-art features, fixes and critical vulnerability mitigation measures.
If you have further queries, concerns or issues regarding How To Mitigate Vulnerabilities Related To The Apache Log4j Library, please open a Support Case with the OPSWAT team via phone, online chat or form, or feel free to ask the community on our OPSWAT Expert Forum.