JDisc Discovery and Log4j – CVE-2021-44228

Dear JDisc users,

I am pretty sure that you are aware of the log4j security issue CVE-2021-44228. JDisc Discovery is mainly written in Java and we have investigated whether we are affected. One external library (yavijava – a library to access VMware ESX and VSphere servers) uses log4j in version 1.2.17.

We have investigated the information and we found out that log4j 1.2.x is also affected, but only with a special configuration. The JMSAppender must be configured in order to have a similar vulnerability like is CVE-2021-44228. JDisc Discovery is not using the JMSAppender and therefore, we conclude that JDisc Discovery is not affected even though yavijava uses log4j 1.2.

However, we decided to remove the affected log4j library completely and replace it with the SLF4J framework. Starting with build 5092 released on Dec. 14th, we have removed the usage of the affected log4j component completely from our project!

Cheers,
Thomas

About The Author

Thomas Trenz
I own and manage JDisc and its network inventory and discovery products. Before I started JDisc, I worked quite a long time for Hewlett-Packard developing software for network assessments and inventory projects. Feel free to contact me on Linked-In or Xing.

Leave A Comment


The reCAPTCHA verification period has expired. Please reload the page.