View Source

December 12, 2021

A high severity vulnerability (CVE-2021-44228, CVSSv3 10.0) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly on December 9, 2021. The vulnerability allows for unauthenticated remote code execution (RCE). This vulnerability exists in Apache Log4j 2 versions 2.0 to 2.14.1. According to the developer, version 1.x of Log4j is not susceptible to this vulnerability.

Generally speaking, DualShield is not susceptible to this vulnerability.

1. DualShield 5.x includes Log4j 1.x which is not susceptible to this vulnerability

2. DualShield 6.1, 6.2, 6.3 includes the Log4j 2.14 file but does not use it.

3. DualShield 6.4 adds a new but optional module called Certificate Server. Log4j 2.14 is included and used in the Certificate Server. However, DualShield 6.4 includes JRE 8u203 which is not susceptible to Remote Code Execution (RCE).

According to this blog post (see translation), JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.