Log4J Security ALERT

Update: 12/13/2021:

Disclaimer: Log4J is a logging utility utilized by PlanetJ's WOW products. PlanetJ does not manage and control the logging utility and therefore is not responsible for any security related issue. However, to assist all of customers, the following information will be shared based on our current understanding.

Summary: Security issues have been found in the log4j utility with versions ranging from: Log4J 2.0 - 2.15. PlanetJ's WOW utility utilizes Log4J 1.2 which does NOT contain the remote execution vulnerability. Therefore our understanding is that WOW is NOT at risk for this vulnerability. There is a potential Log4J 1.2 vulnerability IF JMSAppender is used. WOW's default configuration is to NOT use the JMSAppender. This is a fast changing situation and we encourage all users to stay up to date. PlanetJ will continue to analyze and share further information as it is obtained.

Details:

What Is Log4j?

Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications, and email services. As a result, a wide range of software could be at risk from attempts to exploit the vulnerability. The severity of the vulnerability in such a widely used library means that organizations and technology vendors are being urged to counter the threat as soon as possible. Pitt IT has detected attackers already attempting to scan for vulnerable instances of Log4j.

What Versions of Log4j Are Affected?

Systems and services that use the Log4j Java logging library between versions 2.0 and 2.15 are all affected, including many services and applications written in Java. Other versions that have yet to be identified may also be affected.

Log4j version 1.x is not directly vulnerable, because it does not offer a JNDI look up mechanism. However, Log4j 1.x comes with JMSAppender, which will perform a JNDI lookup if enabled in Log4j's configuration file (i.e., log4j.properties or log4j.xml). Thus, an attacker who can write to an application's Log4j configuration file can perform a remote code execution attack whenever Log4j 1.x reads its malicious configuration file.