log4j java library being exploited CVE-2021-44228

[Dan King]

Just wondering if an update is in the works for PWM to address the vulnerabilities in the included log4j libraries? For now I'm just using iptables to drop access from all but a couple whitelisted ip addresses.

https://arstechnica.com/information-technology/2021/12/the-critical-log4shell-zero-day-affects-a-whos-who-of-big-cloud-services/

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

[Jason Rivard]

PWM uses log4j v1 which is not affected by this CVE.

Work is ongoing to migrate to a more modern Java logging API (slf4j+logback) but there is no ETA yet.

[Bilal Deniz]

Hi Jason,

How about  CVE-2019-17571  (https://www.cvedetails.com/cve/CVE-2019-17571/)

It is mentioned on log4j's page: https://logging.apache.org/log4j/1.2/ and has to do with SocketServer.

I don't know anything about SocketServer. Is PWM using it?

Thanks

[Jason Rivard]

PWM does not use the SocketServer.  To the best of my knowledge, PWM is not vulnerable to any of the known Log4j v1 CVEs.

[Bilal Deniz]

Appreciate taking the time to confirm that!