For those who have not heard, there is a new vulnerability in Log4J v2.x. Here is a link to the Log4J v2.x vulnerability:
https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
The Log4J v2.x vulnerability is related to the ‘lookups’ feature that was introduced in version 2.
Lookups provide a way to add values to the log4j configuration at arbitrary places. They are a particular type of Plugin that implements the StrLookup interface.
Any application that is using Log4J v2.x needs to upgrade to Log4J v2.16.0 (or later) immediately.
No Capitalware product uses Log4J v2.x.
There are 4 Capitalware product using Log4J v1.x. Note: Log4J v1.x does not have the ‘lookups’ feature, hence, it is not at risk of the vulnerability described above.
- The 4 products are:
- MQ Batch Toolkit
- JAAS for MQAUSX (JAUSX) which is an auxiliary component of MQAUSX
- Audit Queue Off Load (AQOL) which is an auxiliary component of MQ Auditor
- Universal File Mover (UFM)
End-users cannot change the Log4J jar file in MQ Batch Toolkit because it is compiled and linked using Excelsior Jet. Both AQOL and UFM are supplied as a regular form with a script / batch file to launch them. If the Log4J v1.x was upgraded in either JAUSX, AQOL and/or UFM to Log4J v2.x then it is the responsibility of the end-user to immediately either (1) put back Log4J v1.x or (2) download and install Log4J v2.16.0 (or later).
Note: None of the 4 components use the JMSAppender with Log4J v1.x.
Please take this vulnerability seriously.
Regards,
Roger Lacroix
Capitalware Inc.