Apache Log4j Security Vulnerabilities
Apache Log4j Security Vulnerabilities
There are four known security vulnerabilities (CVE-2021-45046, CVE-2021-44228, CVE-2021-45105, CVE-2021-44832) in the Apache Log4j 2 logging library, which is used in PoolParty.
PoolParty 8.1.4 and later versions – Starting from version 8.1.4, PoolParty uses versions of Apache Log4j where these security vulnerabilities are fixed (Apache Log4j 2.16.0 in PoolParty 8.1.4 and Apache Log4j 2.17.1 in PoolParty 8.1.5). You can get the latest PoolParty version from our download area.
PoolParty 8.1.3 and earlier versions – To tackle the impact of CVE-2021-45046 and CVE-2021-44228 security vulnerabilities, change the logging configuration with this workaround.
We have also deployed this fix to our whole cloud infrastructure.
PoolParty 8.1.5 and later versions – Starting from version 8.1.5, PoolParty uses versions of Apache Log4j where this security vulnerability is fixed (Apache Log4j 2.17.1 in PoolParty 8.1.5). You can get the latest PoolParty version from our download area.
PoolParty 8.1.4 and earlier versions – Our assessment showed that this vulnerability cannot be exploited by the PoolParty interface and thus cannot affect PoolParty. Nevertheless, it could trigger false positive alerts in vulnerability scanners that look only at the Apache Log4j dependencies.
PoolParty 8.1.5 and later versions – Starting from version 8.1.5, PoolParty uses versions of Apache Log4j where this security vulnerability is fixed (Apache Log4j 2.17.1 in PoolParty 8.1.5). You can get the latest PoolParty version from our download area.