Security researchers disclosed the following vulnerabilities in the Apache Log4j Java logging library:
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP
and other JNDI related endpoints
- CVE-2021-45046: The fix for CVE-2021-44228 was incomplete in certain non-default
- CVE-2021-45105: Apache Log4j2 Context Lookup features do not protect against uncontrolled
recursion from self-referential lookups in certain non-default configurations
No Imatest software includes the affected versions of Log4j, no dependency used, such as the MATLAB compiler runtime includes an affected version either.
Internal Imatest systems which included Log4j were promptly patched when the vulnerability was discovered. These were never publically accessable.
Thank you for your concern.