Inflectra Statement about Log4J Vulnerability (CVE-2021-44228)

13-Dec-2021 by Adam Sandman Company News

There has been a recent vulnerability (CVE-2021-44228) discovered regarding specific versions of the Apache Log4J logging service.

JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

We have done an internal audit and scan of Inflectra's products and our internal systems and can confirm that neither our applications nor our third-party internal systems are affected by the recently-discovered log4j vulnerability.

Spira Platform

We have completed an internal audit and scan of SpiraTest, SpiraTeam, SpiraPlan, SpiraCapture, RemoteLaunch and RemoteLaunchX and none are affected by the log4j vulnerability.

KronoDesk Platform

We have completed an internal audit and scan of KronoDesk and its add-ons and none are affected by the log4j vulnerability.

Rapise Toolset

We have completed an internal audit and scan of Rapise and it is not affected by the log4j vulnerability. It uses a similar library log4net that provides similar functionality for .NET applications, but does not suffer from the same vulnerability.

Other Systems

We have completed an internal audit and scan of all Inflectra's third party systems and applications and none are affected by the log4j vulnerability.