NEWS

vScope and Apache Log4j (CVE-2021-44228, CVE-2021-4104)

PUBLISHED December 13, 2021 (Updated: December 14, 2021)

Summary

  1. vScope is not using Log4j2
  2. vScope is not using JNDI or JMSAppender

…and is not affected by neither CVE-2021-44228 nor CVE-2021-4104.

Background

A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. It allows an attacker to execute arbitrary code by injecting attacker-controlled data into a logged message.

Read more at:

https://www.cve.org/CVERecord?id=CVE-2021-44228

Is vScope affected?

vScope uses Log4j 1.x which is not affected by CVE-2021-44228 (http://slf4j.org/log4shell.html). As Log4j 1.x does not offer the look-up mechanism used in the exploit, it does not suffer from CVE-2021-44228.

There has been another CVE created for Log4j 1.x, CVE-2021-4104, which states:

“…Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.”

vScope is not configured to use JNDI or JMSAppender and is therefore not affected of CVE-2021-4104.

How can vScope help?

We have written a guide showing how you can use vScope to identify potential vulnerabilities in your IT. Find the blog post here: https://www.vscope.net/blog/two-reports-to-find-out-where-you-are-using-log4j/.


We carefully follow this issue and will update this post if any important news surface. If you have any questions you can reach out to customersuccess@infrasightlabs.com.

About vScope

vScope is fast and easy IT reporting, helping companies improve collaborations, innovation, and operational efficiency. Based on industry-leading IT inventory, vScope keeps your reports and documentation updated, so that people in your organization always can access relevant insights about IT.

Get Started

More from us…

Suggestions to help you improve data quality

January 21st, 2022|0 Comments

PRODUCT UPDATE Suggestions to help you improve data quality vScope automatically helps you to minimize the number of duplicate assets from multiple data sources by matching numerous criteria. Suggestions are

Directory Machines migrated to All Machines

January 20th, 2022|0 Comments

PRODUCT UPDATE Reclassification of asset types that might affect license limits PUBLISHED JANUARY 21, 2022 Search for any computer, view computers from Active Directory in Properties, and easily find deviations between

Two reports to find out where you are using Log4j

December 17th, 2021|0 Comments

PRODUCT Two reports to find out where you are using Log4j A flaw in Apache Log4j allows an attacker to execute arbitrary code by injecting attacker-controlled data into a logged

vScope and Apache Log4j (CVE-2021-44228)

December 13th, 2021|0 Comments

NEWS vScope and Apache Log4j (CVE-2021-44228, CVE-2021-4104) PUBLISHED December 13, 2021 (Updated: December 14, 2021) SummaryvScope is not using Log4j2vScope is not using JNDI or JMSAppender...and is not affected by neither CVE-2021-44228

Improve your IT security with vScope

August 3rd, 2021|0 Comments

Improve your IT security with vScope IT security is a top priority for organizations across the globe- for a good reason. Today more companies are affected by cyber attacks than