Dec 13, 2021

Infopulse SCM Is Not Affected by Log4Shell Vulnerability: Communiqué

CVE-2021-44228, or Log4Shell, is a critical remote code execution vulnerability in a highly popular Java library used in millions of applications as part of their logging infrastructure. This library sits at the core of almost every Java application built in recent years.

Security teams are racing to contain the fallout from a critical vulnerability Log4Shell discovered on December 9, 2021, in a Java logging library Apache Log4j used by several applications and services. The Federal Office for Information Security (BSI) has immediately based its existing cyber security warning on the Warning level Red. 

Is Infopulse SCM affected?

Our security team has immediately carried out the preliminary analysis of the log4j problem to inform you about the initial findings. The vulnerability Log4Shell DOES NOT affect the security and operations of the Infopulse Standards Compliance Manager.

Vulnerability (CVE-2021-44228) affects applications that use logging system Log4j version 2.[x].

As a logging system, Infopulse SCM uses the SLF4J facade with Logback as an implementation. Logback does NOT offer a lookup mechanism at the message level. Thus, it is deemed safe concerning CVE-2021-44228.

Log4j in Apache Tomcat

The internal logging for Apache Tomcat uses JULI (java.util.logging framework) by default for recording its standard logs. Yet, Tomcat allows users to configure logging with log4j. If you have NOT made any additional customizations regarding logging with log4j, you’re safe. 

We are keeping our hand on the pulse of the situation with the security vulnerability and will inform you of any updates on any changes.

Try Compliance Aspekte For Free

Book a 1-2-1 Live Demo and Obtain a 3-months Non-binding Trial

    What Standards are you interested in?

    I have read the privacy policy and agree.