Imatest not vulnerable to Apache log4j security compromise

December 25, 2021
December 25, 2021

Security researchers disclosed the following vulnerabilities in the Apache Log4j Java logging library:

  • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP
    and other JNDI related endpoints
  • CVE-2021-45046: The fix for CVE-2021-44228 was incomplete in certain non-default
    configurations.
  • CVE-2021-45105: Apache Log4j2 Context Lookup features do not protect against uncontrolled
    recursion from self-referential lookups in certain non-default configurations

No Imatest software includes the affected versions of Log4j, no dependency used, such as the MATLAB compiler runtime includes an affected version either.

Internal Imatest systems which included Log4j were promptly patched when the vulnerability was discovered. These were never publically accessable.

Thank you for your concern.

Leave a Reply

Your email address will not be published.

*
*
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.