Background
Log4j version 1.2.17 is used as a dependency in the DL, SE and ESE Agents.
This version of Log4j features a known vulnerability as described here: https://www.cvedetails.com/cve/CVE-2019-17571/
Mitigation
Whilst CVE exists in the included library, it is of low risk to the Redstor DL, SE and ESE agents - a server socket is required to make use of the exploit, and the library is included for use by another package only.
The server socket is neither created nor used, meaning that the exploit itself cannot be used.
Details of the package, slf4j, and its relationship to log4j can be found here: http://slf4j.org/log4shell.html
Comments
0 comments
Please sign in to leave a comment.