Skip to content
vScope Support Page

vScope and Apache Log4j (CVE-2021-44228)

  1. vScope is not using Log4j2.
  2. vScope is not using JNDI or JMSAppender.

As a result, vScope is not affected by either CVE-2021-44228 or CVE-2021-4104.

Background

The vulnerability in Apache Log4j logging library, affecting versions 2.0.0 to before 2.15.0, allows for remote code execution via data injection in logged messages.

More information can be found on the official CVE page:

Is vScope Affected?

vScope uses Log4j version 1.x, which is not affected by CVE-2021-44228. According to SLF4J’s Log4Shell guidance, Log4j 1.x does not include the look-up mechanism responsible for the vulnerability in Log4j2.

Another vulnerability, CVE-2021-4104, was identified for Log4j 1.x. However, this issue only impacts instances configured to use JMSAppender in JNDI, which is not the default.

Since vScope is not configured to use JNDI or JMSAppender, it is not affected by CVE-2021-4104.

Continuous Monitoring

InfraSight Labs is closely monitoring updates on these issues and will revise this post with any significant developments.