This article explains the details surrounding Log4j / CVE-2021-44228 and its involvement in Login Enterprise.
Issue:
Apache Log4j is a widely used Java library used in many commercial and open-source software products as a Java logging framework. The CVE-2021-44228 is a remote code execution (RCE) vulnerability that can be exploited without authentication. The vulnerability's criticality is rated as 10 (out of 10) in the common vulnerability scoring system (CVSS).
Status: Answered
LoginVSI is aware of this vulnerability, has completed investigation, and determined that we do not use Java or the log4j library in any of our products. Therefore we remain unaffected by the Log4j / CVE-2021-44228 vulnerability. We thoroughly checked our code and third party tools.
Official statement from third party tools used by Login Enterprise were also checked.
rabbitmq https://github.com/rabbitmq/rabbitmq-server/discussions/3886?sort=top#discussioncomment-1795896
portainer https://www.reddit.com/r/portainer/comments/rdqqsq/log4j_cve202144228/
haproxy https://www.loadbalancer.org/blog/log4j-vulnerability/
postgres https://www.postgresql.org/about/news/postgresql-jdbc-and-the-log4j-cve-2371/