Apache Log4j Vulnerability, CVE-2021-44228 (Log4Shell) and Related Vulnerabilities

Update 12/21/2021

Alerted Vulnerabilities

On December 10, 2021, Apache released version 2.15.0 of their Log4j framework, which included a fix for CVE-2021-44228, Log4Shell, a critical (CVSSv3 10) remote code execution (RCE) vulnerability affecting Apache Log4j 2.14.1 and earlier versions dating back to 2.0-beta9. Additionally, the United States CISA (Cybersecurity and Infrastructure Security Agency) notified that CVE-2021-44228 is being broadly exploited in the wild.

On December 14, 2021, Apache released version 2.16.0 of their Log4j framework, which included a fix for CVE-2021-45046, relating to additional fixes needed on Log4j2 for completeness of the remediation on CVE-2021-44228. The National Vulnerability Database (NVD) notified of CVE-2021-4104, relating to a new weakness found in Log4j1.2, when the JMSAppender component is active and the attacker has write access.

On December 18, 2021, Apache released version 2.17.0 of their Log4j framework, which included a fix for CVE-2021-45105, relating to additional fixes needed to address uncontrolled recursion from self-referential lookups.

Wind River Affected Products

The Wind River® Analytics product contains an affected version of Log4j2 subject to CVE-2021-44228 and CVE-2021-45056. The recommended mitigations are available here at our customer support site. For CVE-2021-45015 the Wind River Analytics product has been determined to be not affected.

Not Affected Products

Wind River Linux, VxWorks, Wind River Helix Virtualization Platform, Wind River Helix Virtualization Platform Cert Edition, Wind River Workbench, Wind River Cloud Platform, Wind River Titanium Cloud, Wind River Conductor, Wind River OpenStack, Wind River Simics, and Wind River Diab Compiler products in all versions have been determined to not be affected by these four vulnerabilities.

Note: The Wind River Linux product in versions 8.0 and prior contains the Log4j1.2 and JMSAppender components, but JMSAppender is deactivated in the release package and not affected by CVE-2021-4104. Customers are advised NOT to manually activate the JMSAppender component. Additional details and resources are available at the Wind River Customer Support Security Vulnerability Notice.

Additional Resources

Please access these additional resources for these and all vulnerabilities:

Wind River customers with additional questions about these vulnerabilities should contact Wind River Customer Support or their local Wind River sales representative for more information. If you own a device that may be impacted by these vulnerabilities, please contact your device manufacturer.