Infopulse SCM Is Not Affected by Log4Shell Vulnerability: Communiqué
Security teams are racing to contain the fallout from a critical vulnerability Log4Shell discovered on December 9, 2021, in a Java logging library Apache Log4j used by several applications and services. The Federal Office for Information Security (BSI) has immediately based its existing cyber security warning on the Warning level Red.
Is Infopulse SCM affected?
Our security team has immediately carried out the preliminary analysis of the log4j problem to inform you about the initial findings. The vulnerability Log4Shell DOES NOT affect the security and operations of the Infopulse Standards Compliance Manager.
Vulnerability (CVE-2021-44228) affects applications that use logging system Log4j version 2.[x].
As a logging system, Infopulse SCM uses the SLF4J facade with Logback as an implementation. Logback does NOT offer a lookup mechanism at the message level. Thus, it is deemed safe concerning CVE-2021-44228.
Log4j in Apache Tomcat
The internal logging for Apache Tomcat uses JULI (java.util.logging framework) by default for recording its standard logs. Yet, Tomcat allows users to configure logging with log4j. If you have NOT made any additional customizations regarding logging with log4j, you’re safe.
We are keeping our hand on the pulse of the situation with the security vulnerability and will inform you of any updates on any changes.
Try Compliance Aspekte For Free
Book a 1-2-1 Live Demo and Obtain a 3-months Non-binding Trial
Effective and easy-to-use IT security management system based on the latest standards and regulations — from planning and establishing the security concept to certification.