GENERAL: JFrog Services Are Not Affected by Vulnerability CVE-2021-44228

Jason Gloege
2022-04-03 13:20

On 10 December 2021, a RCE (remote code execution) exploit was exposed on several versions of the Apache Log4j 2 utility. 

Affected code exists in log4j core libraries: log4j-core-*.jar, versions 2.0 to 2.14.1.
 

Following internal research and validation by the JFrog Security and R&D teams, we can confirm that JFrog services are not affected by this vulnerability (CVE-2021-44228). First, we have validated that JFrog services are not configured to implement the log4j-core package. Additionally, we can confirm that the JDK version used in JFrog services (e.g. Artifactory) contains default protection against remote class loading via JNDI objects. Therefore, no action is required by JFrog customers regarding this issue for JFrog solutions.
 

JFrog Security and Xray product teams have updated the Xray database with CVE information regarding this vulnerability, and this information is available for Xray customers to assist in detection and remediation across customer portfolios. 

 

JFrog has examined and validated that none of the following products reference the vulnerable libraries:

 

Artifactory 6.x and 7.x, and the accompanying Access service

Xray

Distribution

Mission Control

Insights

 

More information is available here.

Artifactory’s include/exclude pattern feature may be utilized in order to block the download of log4j, the following example would exclude log4j-core versions under 2.15 –

**/log4j-core-2.?.*  // To block versions 2.0.X to 2.9.X

**/log4j-core-2.10*

**/log4j-core-2.11*

**/log4j-core-2.12*

**/log4j-core-2.13*

**/log4j-core-2.14*

*Please update the excluded patterns according to your organizational requirements. 

Further information may be found in our KB – How to use Include/Exclude patterns?