Support Suite

User Login

Knowledgebase

Is EIOBoard / Workplace affected by the Log4j Vulnerability?

Posted by Elizabeth Stanley on 14 December 2021 10:05 AM

With the recent discovery of the Log4j Vulnerability, Savance can confirm that EIOBoard/Workplace is not vulnerable to CVE-2021-44228 since our solution does not use Log4j for any of our products. After a thorough audit of our code base and cloud environments, we have found no use of the Apache Log4j library. Therefore, we are confident no EIOBoard products are exposed to the Log4j vulnerability as a result of this recently discovered exploit.

Our Angular libraries import a log4j library derivative called "log4js-node" module. It is not vulnerable to the same log4j vulnerabilities that exploit the underlying Java Runtime Environment (gmillerd, 2021).

Furthermore, we evaluated our inventoried assets with two vulnerability scripts to reveal any systems running JNDI features--referencing the "JndiLookup.class," or the log4j-core file hash. None of our inventoried assets referenced the log4j library.

More info on the Apache Log4j exploit can be found here

References

CISA. (2021, December 23). Mitigating Log4Shell and Other Log4j-Related Vulnerabilities. CISA. https://www.cisa.gov/uscert/ncas/alerts/aa21-356a

gmillerd. (2022, December 21). Is log4js-node affected by the log4s vulnerability? · Issue #1105 · log4js-node/log4js-node. GitHub. https://github.com/log4js-node/log4js-node/issues/1105

Repositories

https://github.com/CERTCC/CVE-2021-44228_scanner

https://github.com/omrsafetyo/PowerShellSnippets/blob/master/Invoke-Log4ShellScan.ps1

Savance | The Company

Savance sets ourselves apart from our competition by keeping it personal. We actively request feedback, know our customers by first name, integrate their ideas into our products, and measure our success based on their happiness. The way businesses used to be run.