Have a Question?
Print

Vulnerability in Apache Log4j Library

Overview

The CVE-2021-44228 Log4j2 vulnerability is described by InfoWorld as follows:

The problem revolves around a bug in the Log4j library that can allow an attacker to execute arbitrary code on a system that is using Log4j to write out log messages. This security vulnerability has a broad impact and is something anyone with an application containing Log4j needs to immediately pay attention to.

BBj Vulnerability: Minimal

Current versions of BBj contain no exposure to this vulnerability.

Historical versions of BBj included third party jar files that are known to include Log4j classes. However, BBj itself does not actively use those classes.

  • A vulnerable version of the log4j library (log4j-api-2.8.1.jar) was distributed with BBj revisions 17.10 through 17.12. However, the “Console Logging” BBj feature that used this library was not enabled by default, and instructions to do so were never published. The final revision of the BBj 17.x series, BBj 17.13, did not include this library.
     
  • A vulnerable version of the Tika library (tika-app-1.20.jar) was distributed with BBj revisions 17.00 through 20.20. However, as above, no BBj code made use of the Log4j classes. The final version of the 20.x series, BBj 20.32, did not include this library.

Unless you received explicit instructions from BASIS on how to implement the Console Logging feature in BBj 17.x, it is very unlikely to be a vulnerability in your deployment.

Please remember that if your code relies on or uses any third party jars, you need to evaluate those jar files independently. Here is an open source tool that has emerged to help locate those dependencies: log4j-detector

Resolution:

For any of the affected versions listed above, upgrade to the latest revision of the product to remove any potential for exposure. If you are unable to upgrade, then you can add this property to the <bbjhome>/cfg/BBj.properties file to ensure Console Logging via the log4j library is disabled:

-Dlog4j2.formatMsgNoLookups=true

 

(V)PRO/5 Vulnerability: None

(V)PRO/5 uses no Java libraries.

Standalone PRO/5 Data Server Vulnerability: None

The standalone PRO/5 Data Server uses no Java libraries.

BASIS License Manager (BLM) Vulnerability: None

The BLM uses no Java libraries.

Barista Vulnerability: None

None of the jars that ship with Barista include Log4j libraries.
 

AddonSoftware Vulnerability: None

None of the jars that ship with AddonSoftware include Log4j libraries.

Eclipse/BASIS Eclipse Plugins Vulnerability: Limited

  • Eclipse IDE Vulnerability:  Limited to certain versions of Eclipse
    BASIS recommends using Eclipse for Java Developers. According to the ‘Eclipse and log4j2 vulnerability (CVE-2021-44228) report’, this version of Eclipse has no Log4j vulnerabilities. However, there are some versions of the Eclipse IDE that are vulnerable, such as the Eclipse IDE for RCP and RAP Developers. BBj Developers are encouraged to check their version of Eclipse against this report.

     
  • BASIS Eclipse Plugins Vulnerability: None
    None of the BASIS Eclipse Plugins include Log4j libraries.

     

Table of Contents
Scroll to Top