Critical vulnerability in Apache Log4j library  

On December 13th, 2021, the German Federal Office for Information Security published a critical vulnerability in Log4j (CVE-2021-44228) and set it to warning level 4/red.

Facts:
Log4j is a popular logging library for Java applications. It is used for high-performance aggregation of log data from an application. The blog of a service provider for IT security [LUN2021] reports on the vulnerability CVE-2021-44228 [MIT2021] in Log4j in versions 2.0 to 2.14.1, which allows attackers to execute their own program code on the target system and thus the server to compromise. This risk arises when Log4j is used to log a character string controlled by the attacker, such as the HTTP user agent.

Statement on b4:

Our b4 versions use the Log4j library version 1.2 within b4 controllers, b4 agents and b4 bots. The programming interfaces "Java Naming and Directory Interface (JNDI)" and "Java Message Service (JMS)" classified as defective in versions 1.x are not used in b4.

Although the Log4j integrated in b4 is classified as an unlikely vulnerability, we will continue to actively pursue information on this and advise our customers and partners to take advantage of the mitigation measures given by the BSI or similar institutions.

The update of b4 with a non-vulnerable Log4J version 2.x is provided with b4 V7.5 (release planned for April 2022).