December 13, 2021

Hi there, I'm Sebastien. In my role as Application Security Specialist, I focus on ways that we can integrate and strengthen security across all of our products. To achieve this critical objective, I work closely with our various software development teams and provide ongoing training, tools, and guidance. I believe that security must be a shared priority and commitment across the organization, and I am proud to work for a company that never loses sight of this fundamental principle.

View more posts

Critical Vulnerability in Log4j

Table of Contents

Details and Mitigation

Last Friday a critical vulnerability was discovered in the Apache log4j project (CVE-2021-44228). For software using the library, simply logging a string of a specific format can lead to remote code execution. Log4j 2.15 fixes this issue, we advise our users to update their affected products as soon as possible.

We conducted an in-depth review and can confirm that products and services provided by Devolutions are not affected by this vulnerability.

Details and Mitigation

LunaSec published a great explanation of how this vulnerability can be exploited if you are interested in the details. The gist of it is that simply by logging a string in a specific format, a vulnerable application can be made to download and execute arbitrary code from a remote LDAP server. Because log4j is the de facto logging library for Java applications, a very large number of systems and services are affected.

Projects using log4j should update to version 2.15 as soon as possible. The log4j project also provides other mitigation steps.

We also advise our users to update their systems that are affected by this vulnerability. The Nationaal Cyber Security Centrum published a list with the vulnerability status for products of major vendors.

https://github.com/NCSC-NL/log4shell/tree/main/software