A recent critical vulnerability has been discovered in Apache’s Log4J software module which can lead to remote execution attacks. This update details what affect this has on the Provenir Platform, and Provenir’s actions to remediate the vulnerability.
The version of Log4J that is cited in the vulnerability assessment is not used in the Provenir Platform; thus the full details listed in the vulnerability assessment do not apply to the version Provenir uses. (The vulnerability assessment lists Log4J versions 2.0 through 2.15 as versions affected). Provenir uses a lower version of Log4J (1.2.16/1.2.17). However, these is one use case in the current vulnerability that can affect lower versions: using Log4J’s JMS appenders with JNDI can be subject to this vulnerability.
Provenir does not use Log4J directly; instead there is a transitive dependency via software modules used by Provenir. Also, Provenir does not use JMS appenders with JNDI lookups in our Platform. Therefore, the risk of the critical remote execution vulnerability is low. However, Provenir is actively working to remediate this vulnerability by completely removing any JMS Appender/JNDI classes that are included in the Log4J version we use. In parallel, Development is working to incorporate the latest version of Log4J (2.16) which Apache has stated contains a remediation for this vulnerability. This will ship in future versions of the Platform.
For our on-premise clients, Provenir will be providing guidance and an automation script that will perform the necessary patching of the Log4J version included with the Provenir distribution.
Provenir will continue to keep our community updated via web posts, Provenir Portal messages and Zendesk home page notifications. ETA’s for the completed actions will be communicated to our client base. We are also responding with our action plans on tickets submitted concerning the Log4J vulnerability.