AMPS Components and CVE-2021-44228 (log4j)

  Dec 13, 2021   |      60East

java

Image of a heavy combination lock on a safeOver the last several days, a remote code execution vulnerability (CVE-2021-4428) has been reported in the popular Apache log4j package.

This is an extremely serious vulnerability, and is being actively exploited by attackers as of the publication of this posting.


The AMPS server, the AMPS utilities, the AMPS client libraries, and supplemental Java components produced by 60East do not use log4j and are not vulnerable to this issue.

  • AMPS server The AMPS server does not use Java or the log4j product.

  • AMPS utilities The spark utility included with AMPS is written in Java, but does not use the log4j product.

  • AMPS Java client The AMPS Java client has no external dependencies outside of the Java Runtime Environment, and does not use the log4j product.

  • AMPS Java Kerberos authenticator This component is provided through a github repository, and is not included with the AMPS distribution or the AMPS client distribution. This example includes code that uses the Simple Logging Facade for Java. This example does not include log4j, but could be configured at deployment time to use log4j.

  • AMPS Apache Flume integration This component is provided through a github repository, and is not included with the AMPS server distribution or the AMPS Java client distribution. This component includes code that uses the Simple Logging Facade for Java. This example does not include log4j, but could be configured at deployment time to use log4j.

In summary, no Java code provided by 60East requires or uses log4j. It is possible for applications based on this code to use log4j. However, no modification to 60East-provided components or code is necessary to remove or update any use of log4j.


Read Next:   AMPS on Windows: WSL2 for Quick Development