Recently, Log4j has been discovered a flaw in a code. In response of the incidence, Accrualify has been investigating and analyzing the possible impact.
CVE-2021-44228 is a vulnerability impacting all the applications written in Java and using the component Apache Log4j2 for logging. This vulnerability allows the unauthenticated remote code execution using the JNDI Lookup. Log4j2 is widely used directly or through dependencies in almost every Java application. These applications include almost all the enterprise level applications and almost all the cloud based applications
Applications using the log4j library named log4j-core whose versions are >= 2.7 and <= 2.14.1 are impacted.
Accrualify integration is Java based application and uses log4j as its logging utility indirectly through Spring Boot frameworks spring-boot-starter-log4j2 java library which currently imports log4j library version 2.13.1.
Hotfix Jira IN-3140 is released on 2021-12-11 04:30 PST to upgrade the log4j-core library to 2.16.0 which fixes the issue.
Any known Accrualify breaches: None