Skip to main content

CVE-2021-44228 - log4shell / log4j Vulnerability Analysis

Issue

A potentially critical 0-day exploit CVE was identified on Dec 10, 2021https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Armory has investigated this 0-day critical issue, and has performed analysis on the vulnerability and its potential for harm to Armory Enterprise customers.  

Cause

The vulnerability exposes a remote-execution vulnerability in services that use log4j. Spinnaker services use logback, a different logging implementation. Here are some examples of how the vulnerability might be exploited:https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/https://www.lunasec.io/docs/blog/log4j-zero-day/#example-vulnerable-code The affected class org.apache.logging.log4j.core.lookup.JndiLookup is not bundled with Armory Enterprise. This was validated by inspecting service dependencies, logs from active services and thread profiling services to ensure the affected class is neither packaged or used.

AIDA logo
AIDA logo

Harness AIDA Chatbot

AI Development Assistant


Today, March 15, 12:55pm

AIDA logo

Accelerate your software delivery with the powerful capabilities of Harness’s Platform.

AIDA logo

How can I help?

Log into your Harness Account to access AIDA