Lucent Sky's response to remote code execution vulnerability in Apache Log4j (CVE-2021-44228)

December 10, 2021

A critical (CVSS score 10) remote code execution vulnerability affecting Apache Log4j has been identified as CVE-2021-44228. As Lucent Sky and the industry at large continue to understand the impact of this threat, we will publish information to help customers identify and remediate the vulnerability.

In addition to help customers ensuring their applications are protected against this threat, Lucent Sky has been analyzing our products and services to understand where Apache Log4j may be used and are taking immediate actions to remediate them. If we identify any customer impact, we will notify the impacted party.

Applying Log4j updates

This vulnerability affects all version from 2.0-beta9 to 2.14.1. Anyone using Log4j should update to version 2.15.0 or later immediately. As with Log4j 2.13 or later, the update requires Java 8.

If the application cannot be updated and has Log4j version 2.10 or later, you can mitigate this vulnerability by setting system property log4j2.formatMsgNoLookups to true. If the application has Log4j version between 2.0-beta9 and 2.9.x, you can mitigate this vulnerability by removing the JndiLookup class from the class path.

Updating Lucent Sky products

We have updated the dependency analysis rules for Lucent Sky AVM to identify CVE-2021-44228 and provide dependency update guidance.

If you are using Lucent Sky AVM On-Demand or managed instances, the dependency analysis rules have been updated to identify CVE-2021-44228 and provide dependency update guidance. For customers managing their own instances, our support team or partners will reach out to you to update them.