Log4j Flaw: Datactics Not Impacted By CVE-2021-44228

TL;DR

Datactics Platform components are not affected by the CVE-2021-44228 vulnerability in log4j. Datactics is not issuing any emergency updates and Datactics customers do not have  to perform any mitigating actions on the platform at this time.

What you Need to Know:

On 10^th December 2021 a critical vulnerability CVE-2021-44228 was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. This issue can lead to remote code execution or information disclosure on the system running software containing the log4j component. We have  performed an extensive security audit  of all our software components and can confirm that the Datactics platform is not impacted by this issue.

Datactics Security Audit Summary:

• Flow Designer:

Not affected

• Data Quality Manager (DQM):

Not affected. Java components written by Datactics  use the SL4J logging library which is not affected by this vulnerability. Additionally some open source Apache components, used in a limited number of DQM Toolset plug-ins, use versions of log4j not affected by the CVE-2021-44228/log4shell vulnerability:

DQM Toolset/Item	3rd Party lib	log4j version
csv/FromExcel	Apache POI	log4j v1.2.17
csv/MergeCsvsToXls	Apache POI	log4j v1.2.17
csv/FromExcelXlsToXlsx	Apache POI	log4j v1.2.17
csv/FromRdf	Apache Jena	log4j v1.2.17

Please note that these components may raise a false alert when scanning the platform for log4j dependencies, however the versions bundled are not impacted.

• Data Quality Clinic (DQC):

Not affected. Java components written by Datactics use the SL4J logging library which is not affected.

What else is Datactics Doing?

Datactics remains committed to the security and privacy of our customers and staff and was recertified under the NCSC (National Cyber Security Centre) Cyber Essentials Plus scheme on 13^th Dec 2021.

We continue to monitor the situation with CVE-2021-44228 and log4j dependencies in Apache Jena and Apache POI and will issue a release of Data Quality Manager Toolsets after stable versions of Apache Jena and Apache POI using log4j 2.16.0 have been released.

Next Steps

If you have any questions about the exploit, need any additional help with identification or mitigation, or have any general concerns, please don’t hesitate to get in touch with us.

Learn More

Please visit the following resources to learn more about Log4Shell:

• https://nvd.nist.gov/vuln/detail/CVE-2021-44228
• https://logging.apache.org/log4j/2.x/security.html
• https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
• https://arstechnica.com/information-technology/2021/12/the-log4shell-zeroday-4-days-on-what-is-it-and-how-bad-is-it-really/