XPLG Products are not affected by the Apache Log4j vulnerability exploit, Log4Shell CVE-2021-44228 / CVE-2021-45046

*Updated Dec 19, 2021

No action should be taken with any of  XPLG products.

The Log4J vulnerability exploits (Log4Shell exploit CVE-2021-44228, CVE-2021-45046) recently published do not affect the XPLG product suite.

Please be advised:

  1. Log4J Zero day was announced on Fri, Dec 10, as the highest (10.0 CVSS) critical Log4j vulnerability was discovered. The Log4Shell vulnerability was exploited by attackers worldwide, allowing malicious strings to be logged.
  2. Apache Log4j is an open-source Java package that allows developers to log activity within applications. The Apache Log4j vulnerable versions are versions 2.0 to version 2.14.1 inclusive. (updated: 2.15.0 was found with CVE-2021-45046 vulnerability)
  3. Because the Apache Log4j component was approved to be used by many manufactures, vendors, and software packages (such as Cisco, VMware, NetApp, Elastic Logstash, Docker, and more), Your IT environment might be vulnerable.

Were XPLG products affected by the Log4j vulnerability exploit?

  • XPLG Products were not affected by the Log4J vulnerability exploit.
    After an extensive security audit of the entire XPLG environment, we have found that none of the XPLG product suite systems contain the software identified in the vulnerability disclosure. (for both vulnerability found)

What security actions XPLG has taken?

  • XPLG users do not need to take any immediate actions.
    We have been working to assure the security of our environment since this Log4j vulnerability exploit was made public.
  • XPLG Released Security Patch
    Although this vulnerability ( update: including CVE-2021-45046 that was found in. Apache Log4j 2.15.0) does not compromise XPLG users, we are always committed to keeping our products’ security up to date. This security patch contains a secured Apache Log4j 2.16.0 version.

We strongly encourage you to review other applications for the Log4Shell vulnerability exploit in your IT environment and, if necessary, take immediate action.

We have gathered resources and tools that can help you identify and review your IT environment for the Log4j vulnerability exploit CVE-2021-44228: CVE-2021-45046, CVE-2021-45105

Only if you can’t immediately install the latest Apache Log4J  version, it was recommended to:

  • Run the bypass (VR 2.1 and later)
    Set True the following:
    System-property log4j2.formatMsgNoLookups, or
    Environment-variable
    LOG4J_FORMAT_MSG_NO_LOOKUPS
    More information
  • Remove the Class (VR 2 – 2.1)
    JndiLookup from the classpath

    Use the command:
    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

  1. https://logging.apache.org/log4j/2.x/security.html
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
  3. https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  4. https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
  5. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
  6. https://www.vmware.com/security/advisories/VMSA-2021-0028.html