Skip to main content

Apache Log4j Security Vulnerabilities

Abstract

Apache Log4j Security Vulnerabilities

There are four known security vulnerabilities (CVE-2021-45046, CVE-2021-44228CVE-2021-45105, CVE-2021-44832) in the Apache Log4j 2 logging library, which is used in PoolParty.

. CVE-2021-45046 and CVE-2021-44228
  • PoolParty 8.1.4 and later versions – Starting from version 8.1.4, PoolParty uses versions of Apache Log4j where these security vulnerabilities are fixed (Apache Log4j 2.16.0 in PoolParty 8.1.4 and Apache Log4j 2.17.1 in PoolParty 8.1.5). You can get the latest PoolParty version from our download area.

  • PoolParty 8.1.3 and earlier versions – To tackle the impact of CVE-2021-45046 and CVE-2021-44228 security vulnerabilities, change the logging configuration with this workaround.

    We have also deployed this fix to our whole cloud infrastructure.

. CVE-2021-45105
  • PoolParty 8.1.5 and later versions – Starting from version 8.1.5, PoolParty uses versions of Apache Log4j where this security vulnerability is fixed (Apache Log4j 2.17.1 in PoolParty 8.1.5). You can get the latest PoolParty version from our download area.

  • PoolParty 8.1.4 and earlier versions – Our assessment showed that this vulnerability cannot be exploited by the PoolParty interface and thus cannot affect PoolParty. Nevertheless, it could trigger false positive alerts in vulnerability scanners that look only at the Apache Log4j dependencies.

. CVE-2021-44832
  • PoolParty 8.1.5 and later versions – Starting from version 8.1.5, PoolParty uses versions of Apache Log4j where this security vulnerability is fixed (Apache Log4j 2.17.1 in PoolParty 8.1.5). You can get the latest PoolParty version from our download area.

. Apache Solr Server in PoolParty
  • PoolParty comes with a built-in Apache Solr server. The Solr server also uses the Apache Log4j 2 logging library and is also affected by the security vulnerabilities mentioned above. However, since it is not directly accessible but only communicates with PoolParty, there is no risk that these vulnerabilities can be exploited.

    Note

    For on-premise installations, we recommend to make the Solr server only available to PoolParty (localhost) and make sure that the respective port (8983) is not exposed.

  • PoolParty 8.1.5 and later versions – Starting from version 8.1.5, PoolParty uses versions of Apache Solr where this security vulnerability is fixed (Apache Solr 8.11.1 in PoolParty 8.1.5).

  • PoolParty 8.1.4  – We updated the logging configuration to tackle the impact of the vulnerability.