search cancel

ITMS/GSS. About Zero-Day exploit: high severity vulnerability (CVE-2021-44228, CVE-2021-45105) impacting multiple versions of the Apache Log4j 2 utility


Article ID: 230281


Updated On:


IT Management Suite Ghost Solution Suite ServiceDesk Client Management Suite Server Management Suite


A high severity vulnerability impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021.

This Critical vulnerability in Apache Log4j was discovered that requires immediate attention, CVE-2021-44228, nicknamed ‘Log4Shell’.  This vulnerability was discovered in Apache Log4j 2.x versions earlier than 2.15.0.  

The vulnerability could allow unauthenticated remote code execution resulting in an attacker gaining full control of an exploited server.  Apache Log4j is used by many open-source projects and commercial off-the-shelf software packages, and is potentially used within internally developed applications as well. There are widespread public scans by malicious actors actively targeting and attempting to exploit this vulnerability. 

Also applies to CVE-2021-45105


ITMS 8.5, 8.6
GSS 3.3 RU8, RU9

No validation was done against any version prior to ITMS 8.5 (or GSS 3.3) since those versions are EOL at this point:

ITMS End-of-Life (EOL) Schedule: KB 173849
GSS End-of-Life (EOL) Schedule: KB 195893


This issue has been reviewed by our Dev team. Please refer to
For ITMS and GSS products division, see: Symantec Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

Does ITMS/GSS use the Apache log4j library impacted by this issue?

No, log4j library is not used in ITMS and GSS products. EPM products do not use log4j library and not impacted by CVE-2021-44228

How about to CVE-2021-45105?
According to you'd notice that ITMS, GSS and ServiceDesk do not use log4j library and hence CVE-2021-45105 is N/A (Not Applicable)

Additional Information

Internet Gateway after ITMS 8.5 release its dependency on Apache and OpenSSL has been removed.


Regarding CVE-2021-42550: is with regards to logback library. There is also no impact on EPM products as we do not use that library.