Cybersecurity Concept with Virtual Padlock on Abstract Background

What is CVE-2021-44228?

On 9 December 2021 CVE-2021-44228, a zero-day vulnerability known as Log4Shell was published. The vulnerability allows for remote execution through log messages utilizing a formatted string using “${}”. This string causes a lookup that will retrieve and execute a file from a remote location. When triggered, this vulnerability can download and execute malicious code. The first proof of concept to exploit the vulnerability was published on 9 December 2021. As of today, large-scale scanning efforts for the vulnerability have already been observed in the wild. (Details)

Affected log4j versions

log4j versions 2.14.1 and below are affected by CVE-2021-44228. The behavior has been removed by default in log4j version 2.15.0.

Impact on tenfold products

The latest impact analysis by our security experts indicates that tenfold Application Server is not affected by the vulnerability.

tenfold is built on top of WildFly Application Server and uses the jboss-logmanager facility for application logging. This component does not depend on the org.apache.logging.log4j:log4j-core library and thus is not affected by CVE-2021-44228 (See official statement)

Next Steps

Our security experts will continue to observe the situation and react, if necessary. We recommend to always upgrade to the latest software version to effectively protect your environment from security incidents.

If you have any questions regarding this statement, feel free to contact us at support@tenfold-security.com