InTime

Plunify Security Statement: CVE-2021-44228 Apache Log4j Vulnerability

7756 views December 16, 2021 December 16, 2021 pohheng 0

Description:

Plunify is actively following the security vulnerability in the open-source Apache “Log4j 2" utility as described in CVE-2021-44228. The Apache Log4j 2 utility is a commonly used component for logging requests.
On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j 2 version 2.14.1 or below to be compromised and allow an attacker to execute arbitrary code.

Based on an analysis conducted to date, the vulnerability risk for Plunify customers is believed to be very low as the affected code is not used at all.

Solution:

1.InTime

InTime tool currently ships with two unused JAR files, namely log4j-api-2.9.1.jar and log4j-core-2.9.1.jar.

These are found in <InTime installation directory>/agent/lib/ . These two JAR files can be safely deleted without any issue. Root or administrative rights is required to remove these two JAR files. These files will not be packaged in future InTime releases.

2. FPGA Expansion Pack (FEP)

The FEP tool currently ships with two unused JAR files, namely log4j-api-2.9.1.jar and log4j-core-2.9.1.jar.

These are found in <FEP installation directory>/agent/lib/ . These two JAR files can be safely deleted without any issue. Root or administrative rights is required to remove these two JAR files. These files will not be packaged in future FEP releases.

Applies to:

  • Linux Operating System
  • Windows Operating System

Knowledge Base ID: 202112161 - Last Review: Dec 16 2021 - Revision: 1.0