Various information security news outlets reported on the discovery of the critical vulnerability CVE-2021-44228 within the Apache log4j library. This vulnerability also named as log4shell or logjam is a remote code execution (RCE) class vulnerability. If exploited it may grant attackers the ability to execute arbitrary code and potentially take full control of the system (Source: CVE & Apache).
We would like to inform you proactively that your migration-center installation is not affected by this critical vulnerability if you run migration-center 3.14 and higher. From this version onwards log4j is not being used by migration-center anymore.
Starting with version 3.14 migration-center uses logback instead of log4j for logging. Nevertheless, when searching for “log4j” within the migration-center installation you may find three log4j jar files:
- …\lib\mc-veeva-importer\log4j-to-slf4j-2.11.2.jar
- …\lib\mc-veeva-importer\log4j-api-2.11.2.jar
- …\lib\mc-database-adaptor\log4j-1.2.12.jar
These files are installed as part of some third-party libraries for our Veeva target and our database source connector but are not being used by the product itself. Should you still have any concerns regarding these files, you can simply remove them from the directories without effecting the migration-center Jobserver functionality.
migration-center 3.13 and older versions use log4j 1.2.17. It is not yet clear if this version is affected by the current vulnerability. In any case it is highly recommended to upgrade migration-center to 3.14 or a later version!
Comments
0 comments
Article is closed for comments.