Security Alert for Log4j CVE-2021-44228 - Security Advisory TWA SEC 3655

TCPWave Security
Date: December 14, 2021
Product

All versions of TCPWave DDI Products (DNS, DHCP, IP Address Management)

Overview

A critical vulnerability in the Apache Log4j Java logging library affecting all Log4J2 versions prior to 2.15.0 was disclosed under CVE-2021-44228. It states that Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints.

Impact

TCPWave DDI Products are not impacted by CVE-2021-44228. The TCPWave DDI Products do not allow log4j message substitution and, hence, the remote code execution vulnerability is not possible within TCPWave Products. TCPWave Engineers have confirmed that no vulnerabilities exist via exhaustive security penetration testing.

Workaround

No workaround is required.

Solution

No action is required.

Contact

Customers with questions on this alert can contact TCPWave Support at [email protected].

TCPWave Security