Apache log4j vulnerability (CVE-2021-44228)

This critical vulnerability is currently in the news. We're not affected.

On Friday I got alerted to the Apache log4j vulnerability (CVE-2021-44228) vulnerability and quickly checked, if and how BlueOnyx was affected.

Long story short: We're good.

BlueOnyx 5210R doesn't ship with "log4j", as we ditched Java and Tomcat.

On BlueOnyx 5209R we do have the "log4j" RPM installed. But unless you have Tomcat enabled you're not at risk. 

Next I checked the RedHat advisory pages for CVE-2021-44228:

The state this for mitigation as outlined in the URL above. 

Also, for Red Hat Enterprise Linux 6/7/8 they state: Not affected

Which isn't surprising, as the issue only pops up if there is an application that actively uses log4j. Which there usually isn't out of the box. Unless you have (for example) SOLR, JBoss, OpenShift, CodeReady Studio or something similar installed that uses the JndiLookup Java class.

In our case (on 5209R) we ship with Tomcat disabled by default and Tomcat would be the closest thing to even remotely make use of "log4j" - provided the end user installs an app or uses a Java Class that makes use of "log4j" via JndiLookup. Just Tomcat being active and running doesn't make a 5209R vulnerable. There needs to be some Java code present that provides an attack surface.

So all in all: If you're on a 5209R and are worried, then turn off Tomcat until you have had a chance to review if your Java code makes use of JndiLookup.

If you have Tomcat disabled on 5209R, then you're good anyway.