search cancel

CVE-2021-44228: Log4J2 Vulnerability in ProxySG

book

Article ID: 230358

calendar_today

Updated On:

Products

ProxySG Software - SGOS SG-S200 SG-S400 SG-S500

Issue/Introduction

Broadcom Software is investigating an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache.  CVE identifier CVE-2021-44228 has been assigned to this vulnerability.  This is a Critical vulnerability, and exploit code is in the wild.  The Log4j team has addressed the vulnerability in Log4j 2.15.0. 

Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Environment

ProxySG platforms running SGOS

Resolution

ProxySG is NOT affected by this vulnerability

Additional Information

For more information and  other Product vulnerability to Log4j 2 please visit Broadcom Enterprise Software Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability